ON ELLIPTIC CURVE CRYPTOSYSTEMS 


A Thesis Submitted. 

in Partial Fulfilment of the Requirements 
for the Degree of 

MASTER OF TECHNOLOGY 


by 

KALYAN KUPPUSWAMY 


to the 

DEPARTMENT OF ELECTRICAL ENGINEERING 

INDIAN INSTITUTE OF TECHNOLOGY 


Febmary 1994 



Certificate 


It is certified that the work contained in the thesis entitled *011 Elliptic Curve 
Cryptosystems’* has been carried out by Kalyan Kuppuswamy under my supervision and 
that this work has not been submitted elsewhere for a degree. 





M. U. Siddiqi 




Professor 


F^^ruary 1994. 


Department of Electrical Engineering 
1. 1. T. Kanpur 





Abstract 


The traditional Cryptographic Bchemee used for Publio-Key Systems like Pohlig- 
Hellman, Ell Gamal, Massey-Omura^ etc. based on finite fields are being seriously threat- 
ened due to recent advances in solving the discrete logarithm problem over finite fields. 
Also new^ and faster methods of factoring integers (upto 100 digits) have made schemes 
like Rivest, Shamir and Adleman (RSA), based on finite rings, vulnerable to sudi attacks. 
Against this background, efforts are on to base the existing cryptographic schemes over 
more general structures, notably the elliptic curve groups and matrix ring groups, over 
vhich such attacks may become inoperative. In this thesis, we look into the theory aspects 
of the elliptic curve algebra, try to adapt the existing Public-Key cryptographic scdiemes 
like Pohlig-Hdlman, etc. on elliptic curve groups and more importantly from the practical 
viewpoint, discuss the various key implementation aspects like computational complexity, 
faster encryption, etc. that arise with these modified cryptosystems. Also a new general- 
isation, i.e cryptosystems based over monoids is carried out for elliptic curves based over 
finite rings which is the elliptic curve equivalent of the RSA scheme. The entire discussion 
is written in a Tutorial format and examples (eimxdated using C language source code) 
have been profusely quoted to illustrate the theory aspects. 



TO MY PARENTS 



Acknowledgements 


1 express my deepest gratitude to Prof. M.U.Siddlqi for having given me valuable sug- 
gestions and the freedom to work on the topic. Also my sincere thanks to Balvinder for 
helping out in various stages of the wcsrk and to Ashish, Venkatesh, Anjani and Abhay for 
memorable moments in the IP Lab And to S.P, Shailesh, Goya^jee and others for their 
wonderful company during my stay at IIT Kanpur 


Kalyan Kuppuswamy 



Table Of Contents 


Chapter 1 : Introduction 

1.1 General Nature of the Problem 1 

1.2 Motivation and Scope of the Work 1 

1.3 Organisation of the Work 4 

Chapter 2 : Review of Cryptology 

2.1 Cryptological Concepts 5 

2.2 Cryptographic System 5 

2.3 Public-Key Cryptosystems 8 

2.4 Public-Key Systems based on Exponentiation Ciphers 9 

2.4.1 Pohlig-Hellman Scheme 10 

2.4.2 Massey-Omura Scheme or Three- Pass System 11 

2.4.3 Rivest-Sharair-Adleman (RSA) Scheme 12 

2.5 Discrete Logarithm Problem and Recent Advances 13 

in breaking Ciphers 

Chapter 3 : Elliptic Curve Structures 
over Finite Fields 

3.1 Introduction 17 

3.2 The Elliptic Curve Group Algebra 21 

3.2.1 Elliptic Curve over Field of Characteristic 25 

char(E(F!t)) > 3 

3.2.2 Elliptic Curve over Field of Characteristic 27 

char{EiFk)) = 2 

3.2.3 Properties of Elliptic Curves defined over 28 



vu 


a Field Fk 

3.3 Classes of Elliptic Curves used for Implementation Purposes 29 

3.4 Message Embedding Schemes 32 

3.4.1 Implementation over Fields of Characteristic >3 32 

3.4.2 Implementation over Fields of Characteristic = 2 35 

Chapter 4: Elliptic Curve Cryptosystems 

4.1 Elliptic Curve Cryptosystems over Finite Fields 42 

4.1.1 Eihptic Curve Pohlig-Hellman Scheme 42 

4.1.2 Elliptic Curve Massey-Omura Scheme 44 

4.1.3 Elliptic Curve El Carnal Scheme 45 

4.2 Generalised Elliptic Curve Cryptosystems over Finite Rings 46 

4.3 Security Aspects 54 

4.3.1 Non b-smooth Orders 54 

4.3.2 Non-Singular Elliptic Curves 55 

4.3.3 Homomorphic and Isomorphic Attacks 57 

Chapter 6 : Some Computational Aspects 

5.1 Using Affine and Projective Coordinate Systems 59 

5.1.1 Homogeneous Polynomial 59 

5.1.2 Projective and Affine Spaces 59 

5.1.3 Plane Algebraic Curves 60 

5.1.4 Singularities of a Curve 60 

5.1.5 Addition Formula using Projective Coordinate System 62 

5.2 Choice of Basis Representation 67 

5.2.1 Standard Basis Representation 67 

5.2.2 Normal Basis Representation 68 

6.3 S(»tno Eni< Uml I'hicryplion SclioinoH 70 



YUl 


Chapter 6 ; Conclusions 

6.1 Comparison wHh existing Public-Key Cryptosystems 73 

6.1.1 Computation Time Companson 73 

6.1.2 Compsarison on Security Aspects 75 

6.2 Scope for Future Work 76 

References 77 



List of Figures aud Tables 


Dt 


Figure 1: Classification of Cryptographic Systems 3 

Figure 2: Cryptographic Systems 6 

Figure 3: Geometric Interpretation of Group operation 23 

of Elliptic Curve defined over set of reals 5R 

Figure 4. Procedure for finding solutions on B(Fp) 33 

Figure 5: Procedure for finding solutions on E{F^) 39 

Figure 6: Generalised Cryptographic Systems 47 

Figure 7; Squaring Operation of any element A{P) e Fya 69 

Table !• Cayley Tfeuble illustrating Abelian Group formed 22 

by the elliptic curve B + y = over the field Fjs 

Table 2- Abelian Group formed by the elliptic curve 34 

E = x^ + 1 over the*field F79 

Thble 3' Abelian Group formed by the elliptic curve 40 

F : 4- J/ = 4- 1 over the field F2T 

Thble 4: Monoid Structure formed by the elliptic curve 49 

B ‘y^ = + li over the ring Zss 

Table 6: Decomposing Monoid £(^55) using E{Z^’s) = E{Z<s) 0 F(Zii), 50 
a direct sum of two abelian groupw 

Tbble 6 List of exponentials for which is Prime 53 

Table 7: Computation Time Comparison for Affine and 64 

Projective Coordinate Systems 
aF.ir^ = a:^4-x-l-l over Fgsiaiy 
b F’jr*4-3/ = a^4-x4-l over i^ir 

Table 8- Polar to Cartesian Coordinate Mapping 69 

Table 9 . Normal Basis Representation 69 

Table 10 Computation Time ComperiBon for Standard and 71 

Efficient Methods of Group Operation 
aF y^ = x^4-a;4-l over F234161 
b F.y^4-2/ = a:^4-x4-l over 



Introduction 


1.1 General Nature of the Problem 

Fbr thousands of years, Cryptogmphy has been the art of providing secure commu- 
nication over insecure channels, and CryptanalysU has been the dual art of breaking into 
such communications. Historically, this combined art caDed Cryptology has been almost 
exclunvely in the hands of military and diplomats. However, with the advent of the com- 
puter revolutkm, and a society where vast amounts of personal, financial, commercial and 
technological information are stored in ccanputer data banks and tramferred over c(»nputer 
networks, the necessity for civilian cryptography has becmne overwhehning. 

With the advances in science and technology, the age-old battle between cryptograr 
phy and cryptanalysis has taken a new dimension. The enormous increase in computing 
power and the advent of parallel processing has placed the cryptanalyst in a iar more 
favouratde position and many of the existing cryptosystems have been completely brc^n 
(sr seriously threatened. And ciyptdbgists are working towards finding objective criteria 
for the security of the cryptosystems, thereby transforming this ancient art into an exact 
science 

1.2 Motiiration and Scope of the Work 

The problems in the area of cryptography whidi draw our attention ate 

a) How do the pres^ cryptographic systems stand upto cryptanalytk attacks? 

b) If not, can we look for new cryptographic systems which could pcsnUy withstand 

these attacks 7 

c) The underlying themy behind the new cryptosystem design. 

d) The engmeering aspects like computation complexity etc. involved. 

In this thesis, we shall tackle scnne of the above problems. In cryptographic literature, 
there exist two schemes of encryption - private-key and publio-key S3r8ten». We shall 
restrict our attention to public key systems only. 


2 


We can divide the existing cryptographic schemes on public-key systems into two categories 

1) Cryptoorstems based oa finite field structure lilra Diffle-Hellman, Pc^dig-Hellman, 
Massey-Omura schemes (5, 10, 15]. 

2) Cryptosystems based on finite ring structure like Rivest, Shamir and Adkman (RSA) 
scheme [5, 10, 1^. 

However, improved methods in solving the discrete logarithm problem [2, 4, 5, 11, 19] 
over finite groups and factmization (2, 4, 5, 21] teduuques have threatened these ecxisting 
methods. There could be two approadies to ward off the threat. One, simply search lor 
higher and higher mder of groups which are beycmd the computational reach of modem 
day computers (orders like 200 digit primes) and wait till improved tedmclogy catches 
1 ^) with it and increase the order then and so on. But this hide and seek approadi is a 
rather simplistic soluticm and an altogether different approach to the problem is required. A 
second method could be as following. If one looks carefully into the nature of these attadrs, 
one finds that it is the multiplicative structure offered by fields and rings, over which 
cryptosystems are designed, that are being exploited lor cryptanalytk attadrs. Hettce, a 
cryptosystem defined over a lesser restrictive structures, f it is reasonable to assume at 
an intuitive level that most of the cryptanalytk attada can be avcuded. A general picture 
of our method of classification is depicted in Figure 1. We shall substantiate t^on our 
gmeral observation in the text later. 

The elliptk curve algelna defined over fields and rings promises us this requisite struc- 
ture. We shall kx^ deeper into the theory aspects of this algd>ra, try to adapt the existing 
public-key cryptographk schemes like Pchlig-Hellman,etc. on elUptk curve groups and 
more imp<^antly from the practical viewpoint, kxdc into various implementation aspects 
that arise with these modificated cryptosystems. 

f by that we mean structures %oUh only one operation defined^ addition, like groups 
or monoids, unlike structures like fields or rings over which we have two operations, 
addition and multiplication 



FIG. 1: CLASSIFICATION OF CRYPTOGRAPHIC SYSTEMS 



LEGEND 

1: CRYPTOGRAPHIC SYSTEMS OVER FIELDS 
2: CRYPTOGRAPHIC SYSTEMS OVER RINGS 
3: CRYPTOGRAPHIC SYSTEMS OVER GROUPS 
4: CRYPTOGRAPHIC SYSTEMS OVER MONOIDS 



4 


1.3 Organisation of the Work 

Chapter 2 gives the review of the existing p«Wk>key cryptocrystems and a snnunaiy 
of the recent advances in breaking some ci the ciphers. 

Chapter 3 gives the necessary algebraic background required to understand elliptic 
curve cryptosystems. We also narrow down on certain classes of ell4>tic curves for imple- 
mentation purposes and discuss procedures for mnbedding message teocte iot enciyptum. 

In Chapter 4, we discuss the elliptic curve analogs of the existing publio-key cryp- 
tosystems, how they offer better security against traditkmal cryptanalytic attacks. Also a 
new generalisation of the existing cryptosystems is presented. Choice of elliptic carves for 
preventing cryptanalytic attadm are discussed. 

Chapter 5 gives the engineering aspects involved in implementation of elliptic curve 
public-key cryptosystems viz. efficient encryption, dioice of basis functions, for faster 
encryptkm etc. 

In Chapter 6, we conclude with a comparison with the existing puUic-key systems 
and discuss the scope for future work in this area. 



5 

Chapter 2 

Review of Cryptology 


We start with s few basic deflxdtlotis in the area of Ciyptology. 

2.1 Cryptological Concepts 

Cryptography is the science and study of secret writing. A cipher is a secret method 
d writing, whereby plaintext (or cleartext) is transfbnned into ciphertext (aUo called 
cryptogram). The process of transforming plaintext into ciphertext is called encipher^ 
ment or encryption^ the reverse process of traiwforming dphertext into plaintext is called 
decipherment or decryption. Both encipherment and decipherment are controQed by a 
ciyptographk key. 

Cryptanaiysie is the science and study of methods of breaking ciphers. A cipher 
is breakable if it is possible to determine the plainteixt or key from the ciphertext, or to 
determine the key frmn pkdntext-ciphertext pairs. 

The branch of knowledge embodying both crypto^ldiy and cryptanalysis is called 
Cryptology [5, 10, 15]. 

2.2 Cryptographic System 

A cryptographic system (or cryptosystem) has five components (10) 

1. A plaintext messi^ space M 

2. A ciphertext message space C 
3 A key space k 

4. A femily of enciphering transformations 

Ek ’ M -* C, where fc e k (2.2.1) 

5. A family of deciphering transformatioitt 


Dk • C M, whare fc e x 


( 2 . 2 . 2 ) 



FIG. 2: CRYPTOGRAPHIC SYSTEM 



plaintext 


ciphertext 


plaintext 






7 


A gieneral i^ure of a cryptographic system is depicted in Figure 2. 

Cryptosystems must satisfy three general requirements 

1. Hie enciphering and deciphering transformations must be efficient for all kqys. 

2. The ^rstem must be easy to use. 

3. The security of the system should dqpend only on the secrecy of the keys and not on 
the secrecy of the algorithms E and D. 

There are tqieciflc requirements for secrecy and authenticity [10]. Secrecy requires 
that a cryptanalyst not be be aUe to determine plaintest data from intero^ited cipherteact. 
Formally, there are two requirements 

a) It should be ccnnputationally infeaslUe for a cryptanalyst to systematically deter- 
mine the deciphering transformations Dt, from intercepted ciphertext c, even if the 
corresponding plaintext m is known. 

b) It should be computatkmaOy infeasible fer a cryptanalyst to systematically determine 
plaintext m from intercepted ciphertext c. 

Data authenticity requires that a ciyptanafyst not be able to substitute a false cipdber- 
text for a ciphertext c without detection. Formally, the two requirements are 

a) It should be computationally infeasiUe for a cryptanalyst to ^tematlcally deter- 
mine the enciphering transformations Ek from intercepted diffiertext c, even if the 
corresp<mding plaintext m is known. 

b) It should be computationally infeasiUe for a cr}rptanaly8t to systematically find d- 

pbertext d such that is a valid plaintext in the set. 

Cryptosystems can be dassified in two categories [5, 10, 15] 

i) Secrct-k^ or private cryptosystem 

il) Public-key csr puWic cryptosystem. 

A g^eoeral cryptosystem Is secret-key if some secret piece of information (the key) has 
to be agreed ahead of time between any two parties that wish to communicate through 
the cryptosystem 



8 


This need of secure key distribution was not a major problem in the days when 
ciyptography was for the few. Now that cryptography has gone puUk, it is unreasonable 
to set up a network in whidi eadi pair of potential users share a secret key in advanoet 
because the number of keys would grow quadratkally with the number of users. 

lb overcome this difficulty and ensure secure ocmununkation over insecure dbannels 
between two totally unaoquaninted parties, the ccacept of public-key cryptosystem was 
evolved. 

2.S Public-Key Cryptosystems 

Ibe ccmoept of two-key cryptosystem was introduced by Diffle and Heilman in 1876. 
They proposed a new method of encryption called Public-key encryption [5, 10, 15], wherein 
eadi user has both a puUk and private key, and two users can communicate knowing only 
eadi other's public keys. 

In a pulffic-key lystem, each user A has a puUic enciphering transfonnatlon which 

may be registered with a public directory, and a private deciphering transformation 
which is known only to that user. The private transformation Da is described by a private 
k^, and the putffic transformation by the puMlc key derived from the private k^ by the 
one-way transformatkm. It must be computationally infeasiUe to detmmine Da from Ea^ 

In a puUk-key systmn, secreqr and authenticily are provided by the seperate trans- 
formatiom. Suppose us^ A wishes to send message m to another user B. U A knows ffa 
putffic transformation A can transmit m to B in secrecy by sending the ciphertext 
c = Eo{m). On receipt, B deciphers c using B's private transfocmaticm I>n, getting 

Dd{c) - I>n(Bn(m)) - m (2.3.1) 

The preceding scheme does not offer authenticity because aiqr user with access to 
B's public transformatkm could substitute another message m' fra* m by replacing c with 
d — Eoin^). 

authenticity, m must be transformed by A*$ own private transformation Da> 
Ignoring secrecy for the moment, A sends c = DA(m) to B. On receipt, B uses A'a puUk 
transicamatian Ea to ccanpute 


B^(c) = EA{DAim)) = m 


(2.3.2) 



Authentidty k provided because oaly A can apply the tranafcMrmatkMi Da- Secrecy la 
not provided because any user with access to A's public transformation can recover m- 

Ib achieve both secrecy and authenticity, the sender and receiver must each apfdy 
two sets of transformation. Suppose A wishes to send a message m toB. First A's private 
transformation Da is applied. Then A encifdiers the result using B's pul^c encryption 
transformation Eb, and transmits the doubly transformed message c s= EB{DA{fn)) to B. 
B recovers m by first applying B's own private deciphering transformation B/j, and then 
applying A's public transformation Ea to validate its authenticity, getting 

EA{Do{m)) = B^(Bo(Bo{B^(m))) (2.3.3) 

e= EA{DA{m)) 
ss m 

2.4 Public-Key Systems based on Exponentiation Ci- 
phers 

In this section, we shall discuss the major cryptographic schemes which emerged after 
Diflfe and Heilman’s pkmeering breakthrough in cryptographic studies. 

All these cryptosystems (5, 10, 15] are based on encryption based cm computing ex- 
ponentiab over a finite fidd. The enciihering and deciphering traasfonnatkms are based 
cm Euler’s generallsatkm of Fermat’s Theorem. 

First, let us discniss Euler’s Tbtient Fhnetion [10, 18) 

Definition! Given an integer n, is the number of elements in the reduced set 
of residues modulo n. ^n) is the number of positive integers less than n that are 
relatively prime to n. 

In general, for an arbitrary n, ^n) is given by 

t 

^n) = f[pr'(p,~l) (2.4.1) 


where 



10 


ThetMrem 2.4.1. (FimnaVa Little Theorem) [10, 18} Let p be prime. Then For every a 
gudi that gcd{a,p) = 1, 

s 1 (mod p) (2.4.2) 

Euler provided a generalised version of the above theorem. 

Tlie(»om 2.4.2. (Euler’s geDerabaathn) [10, 18j Fixr every a and n such that $cd{a, n) as 

s I (mod n) (2.4.3) 

Proofi Let ri, r2« * * * r^n) the reduced set of residues modulo n such that 0 < < n 

for 1 < » < ^(n). Tberefi»e, 

4(n) ^ 

n - n (2.4.4) 

» iarl |ks1 


By cancellatioii, 

3 1 (mod p) . 


2.4.1 Pohlig-Hellman Scheme 

In this scheme [5, 10, 15], enciphering a message Mode m € Zn is deme by computing 
the expcxMntial 

c s m* (mod p) (2.4.5) 

where p is a large prime 6 Z and C E Zp. Here e and p are the keys to the enciphering 
tranaformatiofi. 


m is restored by the same operation, but by using a different exponentia] d for the key 

m E (mod p) (2.4.6) 


such that 


ed s 1 (mod <l>ip)) 


(2 4 7.a) 



11 


Since p is prime, 

<^)=p-l (2.4.7.6) 

The security of the scheme rests mi the complexity of computing diecrete kgarithms 
in Zp. This k because under a known plaintext attack, a cryptanalyst can cmnpute e (and 
thereby d) given a pair (m, c) 

c = loQnC in Zp (2.4.8) 

P(^ilig and Heilman [10] show that if (p— 1) has mily small prime factors, it k pcssiUe 
to compute the logarithm in 0{logp) time, which k unsatkfactory even lor large values 
of p. The fastest known a]g(»ithm for computing the discrete logarithm in J^, due to 
Adleman takes i^roadmately 

T *= exj^sqrt{lnp{lnlnJ^p))) (2.4.9) 

Conrider an exampk, if p k 200 Uts long, then Equatkm (2.49) evaluates to T* == 2.7x 
10^^. Assuming 10^^ steps can be performed per day (l.e. about 1 stqp per mkrosecoiKi), 
the entire omnputatkm would take only a few days. 

Pohlig and Heilman also note that their sdieme could be implemented in the Gakris 
Field i^, where 2” — 1 k a large prime number called Mersenne prime (18). Such an 
implementation would be efficient and have the advantage that all messages would require 
exactly n bits; furthermcare, every element in the range (1, 2" — 2) could be used as a key. 

2.4.2 Massey-Onma Sdieme or Three-Pass System [14, 15] 

Consider n whidi is a prime or a product of large primes. Suppose user A wkhes to 
send a message m € Zn . Then the encryption k given by A selecting a random c satisfying 

0 < c < n and gcd(c, n) » 1 


and she transmits to B 


Cl s TO® (mod n) 


(2.4.10) 



12 


Now B chooses a raiKk»n integer d with the same iMopertks, and transmits 

C 2 s (mod n) (2.4.11) 

s (m*)^ (mod n) 
a (mod n) 

Then A transmits back to B 

CiSd2 (2.4.12) 

where d stidh that cc' a 1 (mod 4^n)) or 

a H (mod n) (2.4.13) 

s (m*)*^ (mod n) 
s (mod n) 

Finally B computes 

C 4 s (mod n) (2.4.14) 

where thf & 1 (mod ^n)) or 

Cl a (mod n) (2.4.15) 

a m (mod n) 

This scheme retains all the advantages of Pbhlig-Hellman scheme. However, the re- 
cpiiremait that A and B need to communicate three times over to get a message m trans- 
mitted from one to another may not be suitable frnr many practical purposes. 

2.4.3 RiTest-Shaiiui-Adleiiian (RSA) Sdiemt 

Hiis scheme {5, 10, 15] runs similar to the previous sdiemes i.e the enciphering and 
deciphering fiinctioas are given by 


cam* (mod n) 


(2.4.16) 



13 


(mod n) (2.4.17) 

Here, the modulus n is the product of two large primes p and q 

n = pg (2.4.18) 

and thus 

^n)«(p-l)(g~l) (2.4.19) 

Rivest, Shamir, and Adleman recomment picking d relatively prime to ^n) in the interval 
{max{p^ g) + 1, n — 1). 

Because ^n) cannot be determined without knowing the prime hictors p and g, it 
is possible to keep d secret even if e and n are made public. This means that the RSA 
scheme can be used for puhliok^ encryption, where the enciphering transformation is 
made puUk and the deciphering transformation is kept secret. 

The security of the ^tem depends on the difficulty of jGactoring n into p and g. The 
known factoring algorithm, due to Schroppel [10] takes 

T = exp{sqrt{lnp(lnln{n))) steps (2.4.20) 

2.5 Discrete Logarithm problem and recent advances in 
breaking ciphers 

Several problems in number thecny are believed to be computationally intractible, 
a property that is potentially of great use in cryptography. Included in this category 
are proUems related to integer facttvizaticm and the evaluatkm of discrete logarithms in 
various groups. We shall ocmsider the discrete logarithm problem over groups. 

Let 6 be a finite cyclic group, and let a be a generator fcnr G. Let #G be the order 
of G. The discrete logarithm of an element to the base a in (? is an integer x such that 




(2.5.1) 



14 


Uxia restricted to the interval 0 < £ < then the discrete logarithm of ^ to the 
base a is unique. We write 

« » /offajS (2.5.2) 

Ihe discrete logarithm proUem is to find a computationally fSeasible method to find 
logarithms in a given group G (2, 4, 9, 11, 15, 19]. 

Fbr groups having small coders, one method to solve this proUem is to precompute a 
table of logarithms in one go. Another is to compute consecutive powers erf a and compare 
with ^ till a match is found. But these primitive methods are impractical when is 
suflkiently large [2|. 

Several other methods have been devel(^)ed to find <nder ^^G fot large values in 
subexponential times - Baby-Step Giant-Step method [13], Pollard’s p method [21], Pcrfilig- 
Hellman [19] etc. The most powerful method everfved as yet for cmnputing logarithms aver 
cyclic groups is Index Calculus method (2, 4, 15]. The underlying philosophy in all these 
methods is that they exploit the multiplicative nature of the group where discrete loga- 
rithms are to be cmnputed. As an example, we shall briefly discuss the generic description 
of the Index Calculus Method. 

Let (? be a finite cyclic group of ordw ^^3 generated by a in which we wish to compute 
logarithms to the base a. Suppose (1 b {pitPai * * ' >Pn} be a subset of G with the properly 
that a significant fraction of all elements of G can be writtmi as a product of elements 
from n. The set (1 is called the factor base for the index calculus method. 

In Stage I, we attempt to find the logarithm of all the elements of (2. We pick a 
random integ^ a and attemptt to write ct* as a product erf the elements in fl, 

= (2.5.3) 

If we are succeeafiil, then the above equation yiekb a congruence lelationship 

i 

O « 0tlogalH (mod #<?) 


(2.6.4) 



/ 


15 


Ttik way we ccdlect rdatioos greater than t to form a aet ol equatkma which are 
expected to have a unique solution lev the indeterminates loQtjpi Vi € {1, 2, • • • ,t}. 

In Stage II, we oxnpute the individual logarithms in G. Given an dement 5 € C?, we 
wish to find an integer x sudi that 

a»-« (2.5.6.tt) 

or equivalently, 

* = log^S (2.5.5.6) 

Fbr this, we pi<h up random integers s until a“S can be written as a product at elements 

inn 

< 

= (2.5.6) 

We then have ^ 

logaS m ^ bilogaPi — s (naod #G) (2.5.7) 

4-1 

The suitability of the above method depends critically cm the fact that we need to 
sdect an appropriate set Q, and how to g^erate the other relations efficiently f. 

Unfortunatdy, it is found that groups based on multiplication operatiem i.e multi- 
plicative groups are easily amenaUe to such requirements and thus the Index Calculus 
Method (and similarly other methods like Pohlig-Hellman,etc. mentioned above, which 
also require a precomputed fEkctor database) work fairly efficiently. Thus traditional cryp- 
tographic schemes like Diffie-Hellman, Pddig-Hdlman, El Gamal, etc based on finite fields 
and whose security is based cm computing discrete logarithms over finite multiplicative 
groups thus become targets of cryptanalytk attadrs based on above techniques. 

So, an obvious way to ward cS these attacks are to look fear such finite groups G 
where finding logarithms of elements is infsadble. The groups that have been coosideted 
are Jacol^an dt a hyperdliptic curve defined over a finite field, the group of non-singular 

t by that toe mean that the set U is small and at the same time the proportion 
of elements in G that factor (nil is large. 



16 


mattkes over a finite field, the class group of an imaginary quadratic field, group of p<diits 
on an dliptic curve over a finite field Anocmg these alg^nraic groups, the elliptic curve 
groups [2, 14, 17] and non-singular matrix groups [22] have been considered tor ciypto- 
gnphic implemention. In our analysis, we shall study the elliptic curve grotqw lor defining 
cryptosystems and try to base the security of the existing public-key cryptosystems iilcn 
Pohlig-Helhnan, E3 Gamal, etc. on the dliptic curve discrete logarithm inoblem. These 
groups have the advantage that the above methods of discrete logarithm cmnputations do 
not seem to generalize to them, and if the order of the group is propel chosen, then the 
discrete logarithm proUem can be made extremdy difficult to compute- 



17 


Chapter 3 

Elliptic Curve Structures over Finite Fields 

3.1 Introduction 

Hie group of p<^t8 on an elliptic curve over any arbitrary held can be defined as the 
set of solutions {xy y) of a certain third-order algel»aic equation. 

Definitfent (2, 0, 14, 17, 21] An elliptic curve E{Fi^ over a field Fk is defined 
to consist of all points (;e,y) € x which are the solutions of the Weirstrass 
Equation 

E:y^ + aixp -f ajy = -f- 02 ®* + a^x -f at (3.1.1) 

where Oi^Fk for i€ Z such that E{Fit) has no singularities ( discussed later). 

Define the quantities 


-f- 402 (3.1.2) 

di ae 204 *f 0103 
dB = o|-f4os 

dt — fliOf -|- 40303 — aia 3 a 4 -I- — 04 

04=8^2” 24 d 4 


and 


A ~ -4>k - fidj - 27dg -I- Qdidtdt 


i(£)“ 


A 


(3.1.3) 


The quantity A is called the discriminant of the Weirstrass equatkm and j{E) is called 
the j-invariance of JB? if A ^ 0 [2, 3, 6, 14, 17, 21|. The fcJlowing theorems explain the 
significance of these quantities. 



18 


TbecM'em S.1.1 Let E be the given Weirstrxua equation (3.1.1). Then B i» an 
elliptic curve, Le., the Wdrstraas equation ia non-ainguiar if and only (f A ^ 0 . 

Theorem 9.1.2 Two elliptic curves Ei{Fk) and E 2 {JF),) given by the non-aingular 
Weiratraaa equaUona 

JEi : y* + oiicy + ojif X* + 11 ^ + 04 * + a* (3.1.1.a) 

■El : + <^y = x* + + aJiX + (3.1.1.b) 

are isomorphic over Fk, denoted by Ei S B^, if and only if there exist variables 
u,r, a,t € f)t,u^ 0 , auch that the change of variables 

{x, y) — ► (u*x + r, u*y + u*ox + 1) ( 3 . 1 . 4 ) 


tranaforma equation E\ to equation E^. The relation of isomorphism ia an equiva- 
lence relation, 

Thewem S.1.S If two elliptic curves Ei(J%) and £^(Fk) are isomorphic over F),, then 
j{Ei) = j(JEa). If two elliptic curves are isomorphic, then they are also isomorphic 
as abelian groups. The converse statement ia not true in general 

Fbr various charact^lstics of the fidkl Fk denoted by char{Fk), the above equatkm 
can be reduced by means of coordinate transformatioiL 

a) Case when curve over Fk, char{Fk) 2, 3 

If ckar{Fk) 2, then by means of the fcdlowing transformation <m eq. (3,1.1), 

(x, y) — y (x,y-^-Y) (3.1.6) 


we got. 


Fj : o X^ + 63 X* -}• i 4 X + hg 


where 


^ ®a + 
64 0 04 + 



sog-b 


4 


(3.1.6) 

(8.1.7) 



E{Fk) is Iscnnarphic to E?(Fi,) over i=i /)r 

19 

F(F*) ai S'(F]k) over F* 

(3.1.8) 

Since char{Fk) 9 ^ 2 , 3, then further change of variaUes 

(3.1.9) 

we get, 

F*:y* = a:* + ax + 6 

where 

(3.1.10) 

o«~432i^+12ft664 

6 = 46e666e - 155526264 + 34566^ 

(3.1.11) 

Again F'(/]k) S F"(n) over F*. 

Hence E{F),) as F''(i^) over F*. 

Theorem 8.1.4 The elliptic curves 


^i{Ek) : y* SB X* + o'* + 6' 

(3.1.12) 


(3.1.13) 

ore isomorphic over F* and on/y if there exists a u € F* such that 


as o' 

(3.1.14) 


u«ft" « b' 

If ^ E 2 {Fk) over F*, then the iscniKnphjsm rdlatkm is given by 


X • Fi — ► -Fif X J (®»y) — ^ (tt It *y) 


(3.1.15.a) 



20 


or equivalently, 

if : Eh — * Eh-, V* * (®» v) — ► (*»% tt*y) (3.1.16.6) 

Fbr the elliptic curve E!"{E),) ,giveii by eq (3.1.10), the associated discriminant A and 
^-invariant j{Ek) over F* are ^ven by 

A = -16(4a* + 276*) (3.1.16) 

and 

m) “ (3.1.17.a) 

b) Case when curve over F*, char{Fk) “ 2 

Consider E{E)t) given by the general Weirstrass equation, 

F : y* + aixy + asy = a;* + o^a;* + c^x + oe (3.1.1) 

Using equation (3.1.2), we calculate the j-invariance f<»r char{Fk) 2 as 

j(B») = ^ (3.i.m) 

There could be two kinds of curves defined for this case [2, 13]. 

1) Case when j-invariance equals aero 

Since j{Eic) =: 0, we have ai s 0. Consider the following transfnrmatkm 

9 : (ar, y) — * {x + oa, y) (3.1.18) 


We get 


Eh'-y^-h t^y =» aj* -H «4ar -f> oi 


(3.1.19) 


HereF(F*)aF>(F*). 

The above curve is called j-invariant curve over F/t, char(i^) 2. 
2) Case when J-invariance is not eqpud to zero 



21 


Coitfider the ft^kndiig transJbnnatioo of equation 3.1.1 and aasuming char{F)t) ae 2 

,2 j.-? 


i ; (ar,y) — > («^a;+ 

ai Oj 


(3.1.20) 


We get 


£?i : y* + *y =■ ** -f oaa!^ + ii« 


(3.1.21) 


The above curve ia called j-variant curve over Pi, char{F]t) *» 2. 

3.2 The Elliptic Curve Group Algebra 

The points on an elliptic curve aknigwith a special point (oo, oo) denoted by Q, (the 
identity element) form an abelian group under a certain addition operatkm given fay 0 (2, 
3, 6, 12, 13, 16, 21] . Let E{I),) be an elliptic curve defined fay the Weirstraas equation 
(3.1.1). The rules of addition are given as following 

Consider two p<^t8 PtQ € E{Fie). Then, 

a) Q0P«PandP0i2»P. 

b) 

c) If P = (a?i, yi) ^ Q, then -P *= (*!, -yi - aixi - a#). 

d) lfQ--P,thenP0Q«fi. 

e) U P ^ Cl,Q QiQ — P» then let P be the third point of intersection of either the 
line PQ if P ^ Q or the tangent line to the curve at P if P » Q, with the curve. 
Then, P®Qbm —R. 

Explicit formulae for the group operatim 0 is defined as following. Consider P » 
(®i»yi)»<? = (iC2il/li) Mid let P0Q = (a;s,y 3 ) be points on the general dliptic curve 
equation given below 


P? : y* + aixy + a^y = «* + oaic* + 04* + a* 


(3.1.1) 


Define 


( ya- Vi 

Xi- xi ’ 

3vcf + 24i2^i + ^4 




i 2y\ + fi\Xi + ag 


ifPftg 

ifp*g. 


(3.2.1) 



Table 1 : Cayley Table lllusbating Abelian Group formed by the elliptic curve B y^+y 
^ over the field 



\ a ts a prtmttnre root of the. irreducible polynomtcd /(*) = ac^ + + 1 vditch genemtee 

/(a) = 0 


FIG. 3: 

GEOMETRIC INTERPRETATION OF GROUP OPERATION 
OF ELLIPTIC CURVE {E,(+)} DEFINED OVER 
SET OF REALS R M (+) Q ■ N 



24 

Let “ in — Axi. 

Then, 

^ A® + oiA — 03 — xi — *2 (3.2.2) 

Vs ^ ~(A + ai)x 3 — — Os (3.2.3) 

Tb Illustrate the additkMi law, let us cooskler the following examples. 

Example! Assume an elliptic curve 

: V* = X* — 18x + 16 

defined over Q, the set of rationale. ITie point P — (0,4) satisfies the above equation. 
Tb obtain 2P ta P^P, we invoke the above fcwmula (few P a* Q case) to obtain A *■ — 2 
fixxn which we gjet 2P =» (4,4). From P and 2P, we obtain 3P (using P ^ Q case) as 
3P = (—4, —4). Continuing this vrvy, higher multiples of P are: 4P =■ (8, —20), 5P ■= 
(1, -1), 6P - (24, 116), 7P « (^, ::^), . . . 

Exampl e! Consider an elliptic curve P : y* + y = x* defined over where /(x) is 

/(x) 

the irreducible p<dynomial x* + x* + 1 whidi defined the field jFy. a be a primitive 
root of the pcJynomial ic /(a) =» 0. Consider the Cjqrley Table (see TaUe 1) formed by 
the points of the above elliptic curve with a defined operation 0. It can be easily verified 
that with the above operation {P(i^),0} fesms an abelian group. 

The above explanatioQ is best illustrated with the field P ae li, the set of real numbers as 
shown in Figure 3. 

The line jdning the points Pi and Pi has a gradiant A given by the above l(»mull^ 
the alternative is derived from the limiting case v^n the diord becomes the tangent at 
Pi. This line Intersects the curve at one further point P', whose negative is defined to be 
the sum of Pi and i^. 

One way of interpreting the additkxi law on P(F*) is to state that the three p<^ts 
P,Q,P are <xJinear if and only if 


P0Q0P-=fi 


(3.2.4) 



25 


With thk interpretatioo, the condition for non-singularity (Theorein 3.1.1) can be 
Interpreted as - the cubic in x should not have a linear factor squared. This is easier 
understood by the geometrical implicatkMis - having a double root means that the slope 
of the curve E{I^) is not well defined at that double point. 

Let us consider an elliptic curve (defined over a field with diaracteiistic ^ 2,3) having 
douUe toot at a; 5 —a (mod X;). 

y* *(® + «)*(* -I- y9) (3.2.6) 

y* as •+ (2a -f -I- (o* -f 2afi)x -1- 

Ccnnpaiing with y^sBic*-|-oa5-f5, weget 

2a-|-/3«0 (3.2.6) 

a BB -f- 2aj9 

6-a*/9 

and 4a^ -f- 275^ >= 0. Hence the condition for non-singularity is 

A « -16(4a* 4 27**) ^ 0 (3.2.7) 

3.2.1 EDiptk curve over field of characteristk char{E{Fk)) > 3 

The elliptic curve equatkm can be written as 

£? ; y* = jc* 4 a® 4 * (3.2.8) 

Using Equations (3.2.1), (3.2.2), (3.2.3) and comparing with (3.2.8), we get the addition 
fmnula as following 

If F = (®i,yi) 6 E, then — F =s (®i,— yi) and F ® (—F) = Q. Given another pcdnt 
Q Ml (x], p}) € E, it satisfies the above properties and U Q yi — F, then P Q Q (xj, yi) 
where 


= A* — ®i — *2 
Vi *= -^(*1 “ «s) “ Vi 


(3.2.9) 



26 


where 


Vi — Vi 

*2 — *! 
Siq-f a 


, ifP«Q 


(3.2.10) 


Examines Ckxisider the fcJkming example to illustrate abeHan group induced hy an elliptic 
curve over a field Fs 

If* ==»«* + 2 (3.2.11) 


Here the coordinates defining the elliptic curve group are : 

(2, 0), (3, 2), (3, 3), (4, 1), (4, 4), (oo, oo) = which is the sero of the group. Order of the 

above group is 6. The order of each of the group elements is calculated as follows :> 

i) Consider Q = (2, 0). 

Q 0 Q S3 (2,0) 0 (2,0) *3 (oo,oo) 


Hence 2Q » 

ii) Consider Q « (3, 2). 

0 Q = (3, 2) 0 (3, 2) =» (3, 3) 
2g 0 <? = (3, 3) 0 (3, 2) = (oo, oo) 

Henoe 3Q am Q. 

iii) Consider Q as (3, 3) 

Q0<?-(3,3)0(3,3)«:(3,2) 
2Q 0 Q = (3, 2) 0 (3, 3) OB (oo, oo) 

Hence ZQaaQ. 

iv) Cemsider Q a (4, 1) 

<?0(?»(4, 1)0(4, 1) =(3,3) 
2g0<?-(3, 3)0(4, l)-(2,0) 
3Q0<?-(2,O)0(4,l)-(3,2) 
4g 0 Q = (3, 2) 0 (4, 1) = (4,4) 
5(?0(J = (4, 4)0(4, 1) as (oo,oo) 



27 

Hence tQ^^Q. 
v) Coneklcr <} ■> (4,4) 

Q©g«(4,4)®(4,4)-(3,2) 

2Q®g - (3,2)® (4,4) « (2,0) 

3Q©Q - (2,0) ® (4,4) « (3,3) 
4Q©Q-(3,3)®(4,4)-(4,l) 

5Q ® Q * (4, 1) © (4, 4) s» (oo, oo) 

Hence 

S.2.2 En^ik c u rve over field of charocterfetk char{E{Fk)) «« 2 
Here we shall consider two cases 

a) j-invariant elliptic curves (j{E{f)t)) ■■ 0). 

b) i-variant elliptic curves (J{E{Fi,)) 0). 

For case a), the elliptic curve equatkm can be written as 

E:V^'¥ osy ■* ** + OiS + oe (8^.12) 


Using Equatkns (3.2.1), (3.2.2), (3.2.3) and comparing with (3.2.12), we get the addition 
jbnnula as fic^lowing 

HP** (*i, Vi) € Ef then —P * («i, jfi + os) and P © (—P) ** Given another point 
Q as {x 2 ,y 2 ) € J?, it satisfies the above properties and if Q — P, then i^StVs) 

where 


and 



in 


[ 


+ *1 
-f Oj 

<«s 


)(*i+«s) + yi + fls, 
)(®i+*s) + yi + as. 


ifP¥‘Q 

itPmQ 


(3.2.13) 


(3.2.14) 



28 


Fen* case b), the elliptic curve equation can be written as 

+ = + + (3.2.15) 


Using Equations (3.2.1), (3.2.2) ,(3.2.3) and comparing with(3.2.16), we get the addition 
formula as following 

If P =» («i, pi) € P, then — P = (®i, pi + tta) and P © (— P) ■= fi. Given another point 
Q = (^ 2 >p 2 ) € P, it satisfies the above properties and if Q ^ — P, then P © <} = (* 3 , ps) 
where 


and 


xs 


{ 


/ ya-Hyi 

Va^ + X\ 


) 


3 


+ 


yi+y3 

Xx 4-«3 


+ ri + «a + eSf 


ifP^Q 

ifp=g. 


(~^“)(®i+*3)+yi+xs, \tP^Q 

*l + {*1 + + «3, if P oe (J 

\ Xxf 


3.2.3 Properties of Elfiptic Corves defined over a field Fk 


(3.2.16) 


(3.2.17) 


Theorem 3.3.1* (Hosse [6, 14 , 21]) Let if^E{Fk) be the order of an elliptic curve 
group E{Fk) defined over a field F/, toith k elements. Then 


(V^ - If < #P(F*) <[y/k + If (3.2.18.0) 

or 

#£/(!%) ss k-tl’+ak (3«2.18J} 

where Ij + 1 fa the expected number of solutions and is the discrepency aa (by 
Riemann Hypothesis for Abelian Variants of dimension i) 


|o*| < 


(3.2.18.C) 



29 


Theorem 3.2«2i (Cas$ela [6J, fSlJ) The group E{Fk) ^ either cyclic or the product 
oj two cyclic groups of order mi and mj satisfying 

mi (ma, mi \gcd{m^ * - 1) (3.2.19) 

where m = f^E{Fi,) and F* has k elements. 

C3orollaryi If 4E{Fk) is squarefree, then surely E{F,,) is cyclic. 

Remark: Similarly for the other case, (f #F(F*) is non-squarefree, tften£?(F*) need 
not be a cyclic group. 

Cmsider m = ff:E(Fk) to be asquare ie m s=pj where pi is aprime number. Assume 
that the group has the order m of the fiarm {y/k + 1)* (this satisfies Theorem 3.2.1). 

(\/k + l)*«p? (3.2.20) 

jt«(pi-l)3 


and 


gcd{m, fc - 1) = gcd(pl, k-1) (3.2.21) 

==gcd{{y/k + l)\k-l) 

which is greater than 1. Here the group is a product of two cyclic groups. Hence, our 
assertion is proved. 

3.3 Classes of Elliptic Curres used for implenieiitation purposes 

Certain classes <rf elliptic curves are of special interest to our work [3, 16]. We 
discuss their properties. 

Theorem 3.3.1: Let p bean odd prime satisfying 


ps 2 (mod 3) 


(3.3.1) 



30 


Then for 0 < ft < p, and a = 0, JE{Fp) it a cycUe group of order 

#£?(Fp)«p+l (3.3.2) 

Proofi 

E{Fp) : y* = a:* + 6 (3.3.3) 

Fbrpa 2 (mod 3 ), the mapping x — ► fa a permutation in Fp. Therefore for every ft, 
there are exactly numbers x e Fp such that (** -f ft) fa a quadratic residue and for 
eadi such a, there are two pc^ts on E{Fp) via. («, + ft). Thfa ounbined with the 

p<^ (— fti, 0 ) and Q , there are (p + 1) pcants on E(Fp). 

Tb prove that E{Fp) fa cyclic , assume it fa not cyclfc.Then, 

E{Fp) Zjvi X Znj ( 3 . 3 . 4 ) 

where .ATi JVa « p + 1 and Ni\N2 and iVi|ycd(p+ l,p ~ 1). 

Now, Ni equals 2 and JVj is even. Thus the group Zff^ x JSjv, must have four elements 
such that —P *8 P. However there are cmly two pdnts F =» O and P = (-6^,0) for which 
-P = P, since the only points where ~P = P are the points (a;,y) with y = 0. Thfa 
contradicts our assumptkn and hence proved. 

Theorem 3 . 3 . 3 : Let p he a prime satisfying p = 3 (mod 4). Then, for 0 < a <p, 
toe have 

#P(Fp)a:p+l (3.3.5) 

Moreover, E{Fp) is cyclic if a is a quadratic residue modulo p and F(Fp) Si Zt^ x Z2 
otherwise. 

Theorem 3 . 3 . 3 : Lei m be an odd positive integer greater than q. Then the elliptic 
curve group defined hy 


E{Fr >^) : y* + y ea X* + ft 


( 3 . 3 . 6 ) 



31 


hcu 2" -f 1 soluUoru. 

Proofi By an atguement similar to the one given in Theorem 3.3.1, a — * + 6 is a 
permutatkm polyncanial over JFJ" and exactly half the dements i.e 2^“' have trace iunction 
(discussed in next section) equal to 0. Therefore, sdutions for the quadratic equation ^ven 
by Equatkm (3.3.6) exists for 2"“^ cases. Hence total number of solutioiis is 2.2*"~^ ■» 2” 
and including the identity element of the group O, we have in all 2" + 1 sdutions. 

Tb avoid cumbersome oomputatioos, it is suggested to use the following subclass of 
elliptic curves. Fbr char(Fjk) =*2, ks= 2^, 

a) J-invariant class 

£i :y* + y=.a:*46 (3.3.7) 

Since the order of the above elliptic ciurve group is given by #JS?(jFat«) = 2* + 1, and 
since 2 does not divide 2"* + 1, we could choose 2*" 4 1 =» 3.p* where p* is a large prime. 

b) j-variant dass 

£^:y*4ajy = x’46 ' (3.3.8) 

Here, the choice of m being odd is also advantageous since it is easy to recover the 
y-coordinate of a point given its x-cooidinate (this is discussed in detail later in the text). 
This helps in reducing message expansion when ciphertext is encrypted. 

Curves over F^m with zero j-invariance are preferred since 

i) Arithmetic over Fsm is easier to implement in normal basis representation (discussed 
later) since a squaring operation is equivalent to a simple left shift operatkm. 

li) Fw doubling c^ratkm, further reductkm in ccMuputatkm is achieved by choosing 
03 = 1 by whidi inversion operation at eadi step is eliminated. 

There are three useful classes of curves over with tn being odd 

y* 4 y — 

y*4y s»**4x 
y*4y =«x*4x4l 


(3.3.7.«) 



se 

For char{Fk) > 3, we use 

(3.3.9) 

Since the above elliptic group has an order ^E{Fi,) = p + lforps2 (mod 3), and 
p being odd, we have 3|(p 4- 1) and 2|(p + 1). Hence fw encryption purposes, we mi^ 
choose p as fcfiows. Choose (p 4 1) s 2.3.p'* where p* is another large prime. Therefore 
p = 2.3.P* 4 1. 

The motivati<m of adopting such a scheme is that given an elliptic curve with coeffi- 
cients arldtrarily chosen from the field Fk over which it is defined, the best algorithms for 
computing the cader of the group (13], in addition to being complicated, have a running 
time 0{loii^q)y where q is the largest prime factor of the order of the group #£^(Fjb). The 
probabilistic nature of the algcaithm renders it unsuitaUe for implementatkxi purposes. 

3,4 Message Embedding Schemes 

Fhan a practical viewp<mt, the first step is to find the points of a given elliptic curve 
defined over a specified field Fi, having characteristic denoted by €Jmr{Fk)» We shall discuss 
two cases 

a) the general case of Add F), having char{Fk) > 3 

b) the specific case of field Fk with char{Fk) « 2,1; »= 2", n being an odd integer. 

3.4.1 Impleiiieiitatiaii met fields of characteiistk > 3 

We define the elliptic curve Ex as 

Ex'. ^ -F ax + h (3.4.1) 

Note that the general Weirstrass eqpiatkm given by equation (3.1.1) is isomorphic to as 
defined above 

We start with the concept of quadratic reddue. 

Deflnltioiu |18] Ltt m > 1 be a fixed integer An integer a with grd(a,m) 1 i* 
called a quadratic residue modulo m %S the congruence equation 


x^ s a (mod m) 


(3.4.2) 



Fie. 4: PROCEDURE FOR FINDIN6 SOLUTIONS FOR E(eF(p)) 








Table 2: Abelian Group formed by Elliptic Curve B = over the fidd Fn 


( 0 , 24) 

( 0 , 55 ) 

( 1 , 19) 

( 1 , 60 ) 

C 2 , 28 ) 

( 2 , 51 ) 

( 4 , 31 ) 

( 4 , 48 ) 

(5,4) 

( 5 , 75 ) 

(8,7) 

( 6 , 72 ) 

( 9 , 25 ) 

( 9 , 54 ) 

( 11 , 20 ) 

( 11 , 59 ) 

( 13 , 28 ) 

( 13 , 53 ) 

( 15 , 0 ) 

( 17 . 0 ) 

( 16 , SO ) 

( 16 , 49 ) 

( 19 , 31 ) 

( 19 , 48 ) 

( 21 , 18 ) 

( 21 , 61 ) 

( 22 , 28 ) 

( 22 , 515 ) 

( 24 , 17) 

( 24 , 62 ) 

( 27 . 7 ) 

( 27 , 72 ) 

( 31 , 34 ) 

( 31 , 45 ) 

( 32 , 21 ) 

( 32 , 58 ) 

( 33 , 32 ) 

( 33 , 47 ) 

( 34 , 15) 

( 34 , 64 ) 

( 35 , 5 ) 

( 35 , 74 ) 

( 39 , 11 ) 

( 39 , 68 ) 

( 40 , 2 ) 

( 40 . 77 ) 

( 42 , 38 ) 

( 42 , 41 ) 

( 43 . 13 ) 

( 43 , 66 ) 

( 44 , 10) 

( 44 , 69 ) 

( 46 , 7 ) 

( 46 , 72 ) 

( 47 , 0 ) 

( oo , oo ) 

( 52 , 32 ) 

( 52 , 47 ) 

( 55 , 28 ) 

( 55 , 51 ) 

( 56 , 31 ) 

( 56 , 48 ) 

( 57 , 17 ) 

( 57 , 62 ) 

( 58 , 14 ) 

( 58 , 65 ) 

( 62 , 21 ) 

( 62 , 58 ) 

( 64 , 21 ) 

( 64 , 58 ) 

( 66 , 9 ) 

( 66 , 70 ) 

( 67 , 27 ) 

( 67 , 52 ) 

( 73 , 32 ) 

( 73 , 47 ) 

( 77 , 17 ) 

( 77 , 62 ) 

(78. 1 ) 

( 78 , 78 ) 




35 


h(U a solution. If equation (3.J^.2) has no solution, a ts called a quadratic non- 
residue modulo m. 

Theorem 3.4.1: [15,18\Ifp is anoddpnmeandgcd{a,p)ssl. Then the congruence 
equation (S.4-2) has two solutions or no solution accordingly as 

s +1 or — 1 (mod p) (3.4.3) 

Example: CTonsider the field JFV. The elements comprising the multiplicative group are 
1 , 2 , 3, 4, 5 and 6. 

Consider 1 * s 1 , 2 * = 1 , 3* = — 1 , 4* = 1 , 5* s — 1 , 6 ^ s — 1 , all evaluated modulo 7. Hence, 
by the above theorem, 1 , 2, 4 are quadratic residue mod 7 whereas 3, 5 , 6 are quadratic non- 
residues mod 7. Notice that = 6 ^ s 1 (mod 7), 3^ s 4* = 2 (mod 7 ), 2^ s 5^ = 4 
(mod 7). 

We find that there are exactly numbers between 1 and p which are quadratic residues 

A 

modulo p and each one of these quadratic residues have two solutions over Ff,. 

Hence a general procedure fcs: finding the points of a given elliptic curve defined over 
a specified field can be depicted as shown in Figure 4. 

iCirmtiplw ConMder the abelian group formed hy E :y^ — 1 over the field F 79 . Ibble 

2 illustrates the points on E{Fi^) which have been simulated using the above algorithm. 

S.4.2 Impleinentatioii oTer fields of characteristic = 2 

We shall restrict our attention to elliptic curves of the form ^ven by 

: p* -h ajy = ar® -f 04 ® -|- og (3.4.4) 

Although this is a specific case of j-invariant elliptic curves, yet the procedure for 
finding solutions for the j-variant curves proceeds exactly in a similar fashion and the 
results here can be easily generalised. 



36 


Equatkxi (3.4.4) can be ccmsidered a general quadratic equation of the fonu 

pa^ + q* + r « 0 (3.4.5.a) 

px 

defined over Fji, char{Fit) =* 2. Substituting y b — , the above equation ks recast as 

9 

y* + y + ^ “ 0 (3.4.5.ft) 

defined over Fi,^char{Fk) » 2 . 

Therefore, without loss of generality, we consider only the solutions of equations of the 
form (7, 20} 

a;* + a; + /B0 (3.4.6) 

defined over Fk^ char(Ji) b 2. Note that the standard procedure of finding roots for a 
quadratic equation |«e* + 9 ®+ r » 0 as ® » — - does not hold good since the 

denominator 2 r s 0 fear char(Ii) » 2 . 

The blowing theorems beemne relevent in our dfecussion. 

rbeexom S. 4.21 Every element of the field Fk char^Fi,) = 2 , A; == 2 ” ha* a square 
root in Ft,. 

E*roofi FVx the case of the zero element. It is its own square root in any Add. For the 
oon-zeto elements, consider a fieM Fk with char{Fk) = 2 with a primitive element a. Then 
my element fi can be written as for some i. Then if f is even and 

f t is odd. In both cases y/^ € Fk. 

[>eflnitk>iu [15] The q-aty trace of an element fi of F^ is the sum 

m— 1 

trace(fi) = (3.4.7.a) 

Assuming Qi,Q 2 are the elements of of characteristic q, (qi + oti)^ b ai^ + 03 ^ is 
rue. Hence, the power of the q-ary trace of is equal to the q-ary trace of fi and thus 
he q-aiy trace is an element of the ground field F,. If fi has m elements in its coqpigacy 



37 


claas, then trace(fi) is the sum of all the elements in the conjugacy class. Otherwise, the 
number of dements in the ccn^Jugacy class divides m, and the number erf times eadi element 
is added into the trace is given by this ratio. 

Hence it fbUows, 

trtuxifi + 7) » trace{0) + <race( 7 ) (3.4.7.6) 


and that all the conjugates have the same trace. 


Far 


Exnmplet Conmder the trace function for the elements of the field -j — ^ irhkh has 

SC T* 3/ *7“ X 

been simulated purposes of illustration 


Ihble : l^ace Function far elements of the fidd 


Elements in coi\jugacy dass 

Ihtce Function 

1 

1 

a ^ or* a* a* a** 

0 

a® a® 0 ^ a®* a®® 0 ®® 

0 

a® q“ o» a«® a« a®® 

0 

a'® a* 0 ®® a” 

1 

oP^ a®® a** a®® a®® a®* 

1 

aW a* a®» a*i 0 ®® o’® 

0 

^IT ^ «1S ^3S ^7a 

0 

a« a» a« a®® a®° 

1 

o®® a®^ o»® o’® 

1 

a®® ai* a*® a®' a®“ a" 

1 


Tbeorem S.4.S> The quadratic equation x^+x-^a=tO where a is an element of 
has a root in F 2 » if and only if the binary trace of a equals zero. 

Proofs Let /3 be a root of the quadratic equation. Then the binary trace of the quadratic 
equatkm evaluated at 0 gives 

tr€ux(j3^ + + a) =« frace(O) =» 0 (3.4.8) 


t a is a primitive root of the irreducible polynomial f(x) = 4- a;® *f 1 which 

generates Fp ue /(a) ** 0 




38 


Novr the traces of 0 and 00 are same ekments in ground field F 2 and thus, 

trace(fi) + tract{00) sa 0 


(3.4.9) 


and thereiOTe lT<ux{a) » 0. 

Conversely, every 0 i» a. zero (Ag0 + x + afoi some o, i.o. a * —{0 + 00). There are 
such a with zero trace, and this just enough to form equations, eadi with two roots. 
This completes the proof 

Coming back to the problem at hand, let a be an element of and let irace{a) be 
denoted as T 2 (a). Hence, 

m-1 

(3.4.10) 

and since T 2 {a) € fs, 73(a) is either zero or one. 

By our discusskais above, we find that Equation (3.4.6) has a solution in if and 
only if 12(1) * 0. 

Theorem 3.4.4i Let xi € F^m he one solution of Equation (S.4‘6). Then the other 
solution is given by 14-xi. 

Proofi We have 

ajj + Xi "i- 1 =» 0 

l + a:i-fl + *1 + 1 = 0 

(1 + * 1 )* + (1 + * 1 ) + 1 = 0 

which clearly shows that the other solutioa is g^ven by 1 + xi. 

Theorem 3.4.5} Assume Equation (S.4-6) has a solution *1 tn Fs* and m is odd. 
Then one solution *1 can he expressed as 

(3.4.11) 

iel 

where I = {1, 3, • • • , m — 2} and J = {0, 2, 4, • • • tn — 1}. 



FIG. 6: 

PROCEDURE FOR FINDING SOLUTIONS ON E(GF(2")) 

n 

X l8 an element in QF(2 ) 









Table 3: Abelian Group formed by j-invariant Elliptic Curve B = over the 
field Fjr 



and the seio of the group O = (oo, oo) 


^ a w a prtmtiwe rvot oj the^ nredttcible pol^ncmtal /(x) = + 1 whtch genemted t,e 

/(a) = 0 







Proofi 


1 8 = 


41 


Adding we get, S^fijr ^ “ ^i(®) + *• Now, T 2 {x) is either 0 or 1 and the sum of roots 
equak 1. 

Therefore, xi =» YlfeJ ^ ' 

Since a;i is a sdutkm of Equatkm (3.4.6) iflf Ta(/) = 0, xi = 

The above theorem provides a simple and straightfcnrward scdutkm to Equation (3.4.6) ior 
odd m. 


Hence an overview of the procedure fw finding solutkms is shown in Figure 5. 

EbLumplet Ccmsider the abelian group formed by .E : |^ + y = ^ over the field 

Fy 

(gy + g>-f i) ‘ ^ « he ft primitive root of the pcdynomial. Ihble 3 illustrates the pcdnts 
on E{Fy) whidi have been simulated using the above al^rithm. 



42 

Chapter 4 

Elliptic Curve Cryptosystems 

4.1 Elliptic Curve Cryptosystems over Finite Fields 

In this secticm, we shall discuss the elliptic curve analogs of the various public-key 
cryptosystems discussed in previous chapters We start with the Elliptic Curve Pohlig- 
Hellman Scheme. 

4.1.1 Elliptic Curve Pobfig-HeDnian Scheme 

Consider am elliptic curve E{Fk) defined over a field JF* of characteristic char{E{F),)). 
Ab discussed earlier, it forms an abelian group of order ^E{Fk). 

The communicaticui is assumed to be between user A and user B. E>adi user M is 
provided a pair of k^TS {(My 6 m) where tM i* made public (the public-key) and 6m is 
known only by user M (the private-key). If user A wishes to transmit a message tn = 
(a:, y) € E{Fk) to user B, she computes the enciphered message c as, 

c = epm (4-1.1) 


where 0 < < ^E{Fk) 

User B deciphers the message m by using a deciphering transformation 

m = 6bc (4.1.2) 


where 0 <6d < if=E{Fk) sudi that 

€d6d s 1 (mod 4E{Fk)) (4.1.3) 

The security of the system lies in computing the discrete logarithm problem over 
elliptic curve groups i.e. 



43 


Given an elliptic curve B{Fp) defined over a field and two points P,Q G P*{Pp)» 
find an integer rj such that 

Q^VP (4.1.4) 


iS such an tj exists. 

This proUem seems to be more intractiUe than the classical discrete logarithm prob- 
lem defined over multiplicative groups. The strongest techniques for the latter (like the 
Index Calculus method etc.) do not seem to be applicable to the elliptic cturve analog. 
Especially in the case Fj*, the discrete logarithm over it are found to be relatively easy 
to compute unless m is chosen to be quite large. It is likely that the analogous system 
using elliptic curves over Fsm will be secture with significairi;ly smaUer values of m. Hence 
by a careful choice of the order of the ^ptic curve group by ensuring the order of the 
cyclic subgroups are non-smooth i.e. divisible by large primes only, the discrete logarithm 
proUem can be made very difficult for the cryptanalyst. 

Exannpler Consider elliptic curve £? : = ac* -b 1 defined over Fn (see Section 3.2). This 

group has an order equal to 80 Let (3, 27) be the pair of (with its usual meaning) 
with a user B. 


Suppose A wishes to encrypt a message m » (34, 15). She sends the ciphertext as c » 
3m =3 3(34, 15). The result on simulatkm is c « (57, 17) which is sent to B. 

On receiving it B deciphers it as m » 27c = 27(57, 17), which on simulation gives m sa 
(34, 15), the CHiginal messagetext. 


Examplet In a similcur way, cmisider elliptic curve F : -t j/ -f- 1 defined over 
where /(x) is the irreduciUe pc^ynomial ** -f 1 and let a be the primitive root 
(/(a) = 0). This group has an order equal to 129. Consider the key-pair (5, 26) with user 


B. 


Suppose A wishes to send B the message m = (a**, a**). She sends the encrypted text as 
c =» 5m 3= 5(a^, a**) = (a®®, a'“), which is sent to B. 

On receiving it B deciphers it as m =* 26c =« 26(a“, a^“) = (a", a*®), which is the original 
messagetext 



44 


4.1.2 ElUptk Curve Massey-Omora Scheme 

Ocmskler an elliptic curve E{Fi,) defined over a field Fi, with characteristic char{E{F},)) 
and OTder #E(J^). Here we let F*, E{Fk) and #F(P]b) to be puUkly known and fixed [14J. 

Suppose user A wishes to conununkate with user B by sending a messagie m. She 
diooses a random int^ra rh suA that 0 < »ji < #F{F*) and gcd{ijiy^E{Fk)) = 1 and 
sends to B, 

Cl «e Tfim (4.1.5) 

Next B chooses a rancknn integer ci with the same properties and transmits to A, 

PI a eici B (4.1.6) 


Now A chooses an integer rfy suA that 0 < ib < i^tF(F/k) and gcd{r) 2 , #F(F*)) «* 1 and 

Thm = 1 (mod #F(F*)) (4.1.7) 


and sends toB, 


Cs = lj202 

= »b(eici) 

« V2{ei{rh{m))) 
B €itn 


(4.1.8) 


On receiving cij, B uses an integer ej suA Aat 0 < < ^E{F\) and gcd{^^ <^E{Fk)) “ 1 


and 

ei <2 s 1 (mod #F(F*)) (4.1.9) 


and decrypts the ciphertext as, 


C4 =»€2CS 

»= e2(’?2(<i(>?i(m)))) 
= <2(€i((m))) 


(4.1.10] 


= m 



45 


Example) C<xigider the elliptic curve B : y^+y ** a^+1 defined over Fft (See Section 3.4). 
Note that the extier of the elliptic curve group is 129 and it is a cyclic group. Cenosider User 
A has the set of keys (ihf 73 ) = (13^ 10) and User B has the set of k^rs j^ven by (ei, 62 ) » 
(4,97). Let a message m =* (o*’^,a^) be encrypted by A as ci a 71 m * 13(Q®''^,a^) « 
(a®,a*^). Next B sends bade to A the ciphertext = 4(a®,Q!“) = (a**,a|'*). On 
receipt of ca, A sends to B cji s I0(a**, a'^*) ** (a™, o^) and B uses ps to get the original 
message m *« 97(a:’^,a**) =» (a*^,a^). The majex advantage of such a procedure is that 
the key-pair is totally dedded by the user using it and the other ccmimunicadiing party 
need not know anything about the keys. So there is a greater flexibilily for the user to 
change key-paiis at will But the obvious disadvantt^ of sudi a scheme is that any pair 
of users have to communicate three times over a duumd to Ixoadcast a message. 

4.1.3 EOiptk Cunre £1 Gamal Sdieme 

Consider an elliptic curve E{Fk) defined over a field F^ with characteristic char{E{Fi,)) 
and order ^B{Fk). Let g € B{Fk) be a fixed and publicly known point [14, 16]. Let the 
communication link be between user A and us^ B. 


The receiver B chooses an integer 0 <<p < ^E{Fk) randomly and putdishes the key 
y>g keying secret. 

Suppose A wishes to transmit a message m to B, m € E{Fk). She dhooses a random 
integer k sudi that 0 < /c < ^E{Ff^ and sends the following pair as the encrypted text to 
B. 


£= (K^,m©/c(v^)) 


(4.1.11) 


To decrypt the message, B multiplies ng with his secret key (p and subtracts Ktpg fix}m the 
second point in the pair to get the original message. In actual practice, once subtractimi 
operatioii is equivalent to oomplementaiy addition < 7 >eratk«i in finite Adds, the decryption 
occurs as B uses an int^er satisfying 0 < < <^E{Fic) and (p®(/ s Q (mod #£(F*)) 

and multiplies Kg with his secret key <// and adds ivp'g to the second point in the pair to 
get the original message since, 

m © K{(pg) © K{(p^g) = m ® (ntpy © K(p'g) (4.1.12) 

= m © Kg{(p © (p') 

= m©fi 

=im 



46 


Ebcamplei Assume the elliptic curve group E{Fn) as coosided above. Let the publicly 
kuovrn point g be ■= (66, 31). Suppose B diooses ^ 23 (and therefore ^ 67 and 

puldishes tpg » 23(56,31) (19,48). Suppose User A wishes to communicate a message 

m s: (11,20) to B. She chooses a random k » 51 , oennputee ng s 51(56,31) as (73,47) 
and m 0 K{(pg) = (11,20) 0 51(19,48) = (66,70) and transmits to B the fcdlofwing pair 
of points ((73,47), (66,70)). On receiving, B computes 57(73,47) ■» (5,76), whkhi when 
added to (66,70) gives (11,20), the message text. 

Here again, the security of the system dq>eD(fe cm the elliptic curve discrete logarithm 
problem. 

4.2 Generalised Elliptic Curve Cryptosystem defined 
over Finite Rings 

Till now, we have limited our discussions to cryptosystems based on finite abelian 
group structure. In this sectioa, we propose to generalise this further by defining cry]>- 
tosystems based on finite m(xioid structures. For this, let us first consider a ring where 
n is a product of large primes {ft} Vt e {0, 1, • • • , I: — 1} i.e. 

Ic— 1 

n = Ilft (4.2.1) 

*=o 

Now, the ring Zn can be decomposed as a direct sum of rings as 

® ^pi © • * ' ® ^i»-i (4.2.2.0) 


or eqviivalently, 




Zn^^Zi 

i=0 


(4.2.2.6) 


Conner an elliptic curve E defined over the above ring Z„ and represented as E(Z„). 
Now, we find that the structure formed by E{Zn) is, in general, a monoid structure (we 
shall soon find out that there are certain points on the elliptic curve structure which do not 
have well-defined group operation). Obviously, there are certain difficulties when we define 
cryptosystems over sudi a monoid structure since there may be certain messages which we 



FIGURE 6: 


GENERALISED CRYPTOGRAPHIC SYSTEM 

P and mP belong to E(Z ) 



ENCRYPTION STAGE 







48 


may not be able to recover after they are encrypted. This is because in an abelian group 
structure, we are guaranteed to recover message from ciphertext because each element of 
the group has a well-defined unique inverse. Hence, thoe is a fiinite probability of error 
that we would not be able to recover our message text after it is encrypted in such a 
sdieme. 

Tb cany out encryption and decryption sdiemes, we use the fdUowing procedure. 
Since the elliptic curve mcmokl E(Zn) can be further decomposed as 

B(2.) a E{Zf,) 0 0 ■■ (4.2.3.0) 


or equivalently. 


*-i 


£(Z„)a0£:(z„) 

M> 


(4.2.3.6) 


Now, each of the E{Zp,) Vi € {0, 1, • • • lb — 1} are abelian group structures which may 
or may not be cyclic groups. In case they are non-cyclic groups, they can be further 
decomposed as a direct sum of cyclic subgroups i.e. 


B(Z„) a 0£^0 

q/die non-cydia 
- ® ® (© )) 


(4.2.4) 


where J is the set of all cyclic subgroups of E{Z,^^ K is the set of non-cyclic subgroups 
of E{Zn) and L is the set of all cyclic subgroups of set K. Figure 6 illustrates the above 
statement. 

Consider a point P € E{Zn) to be encrypted aaQ = tjP where Q € E{Z„) and rjeZ, 
the set of positive integers. We can carry out the efixnre operation by first decomposing P 
as ^ ^ 

P^^Pp, 

isc0 


(4.2.5) 



Table 4: Monoid Structure formed by Elliptic Curve B + l over the Ring Zia 


(0,1) 

( 0 , 54 ) 

( 0 , 21 ) 

( 0 , 34 ) 

(2,3) 

( 2 , 52 ) 

(2,8) 

( 2 , 47 ) 

(5,4) 

( 6 , 51 ) 

( 5 , 26) 

( 5 , 29 ) 

( 7 , 17 ) 

( 7 , 38) 

( 7 , 27 ) 

( 7 , 28) 

( 9 , 20) 

( 9 , 35 ) 

( 10 , 11 ) 

( 10 , 44 ) 

( 20 , 9 ) 

( 20 , 46 ) 

( 20 , 24 ) 

( 20 , 31 ) 

( 22 , 12 ) 

( 22 , 43 ) 

( 22 , 23 ) 

( 22 , 32 ) 

( 24 , 25 ) 

( 24 , 30 ) 

( 27 , 7 ) 

( 27 , 48 ) 

( 27 , 18 ) 

( 27 , 37 ) 

( 29 , S ) 

( 29 , SO ) 

( 32 , 22 ) 

( 32 , 33 ) 

( 35 , 14 ) 

( 35 , 41 ) 

( 35 , 19 ) 

( 35 , 36 ) 

( 40 , 6 ) 

( 40 , 49 ) 

( 40 , 16 ) 

( 40 , 39 ) 

( 42 , 13 ) 

( 42 , 42 ) 

( 43 , 2 ) 

( 43 , 53 ) 

( 44 , 10 ) 

( 44 , 45 ) 

( 49 , 15 ) 

( 49 , 40 ) 

( 50 , 0 ) 

( oo , oo ) 


aad poiat® aotxjaally repreeeated aa (Ki), (Ha), 

tiune 


I (His) ^ which are aleo elenxeata of the njonoid ertruo- 


t see Jhble 5 




Table 5: Decomposing Monoid E(Zss) uung E(Zss) ^ E(Zs) 0 E(Zu), a direct sum of two Abdian 
Groups 


(0. l) 


mn 

■PS^"SVH 

(0. 1) 

(0.64) 


(0. 4) 

mm 

(0,10) 

(2. 3) 


(2, 3) 

e 

(2, 3) 

( 2, 62) 

Qt 

(2, 2) 

0 

(2. 8) 

(fi. 4) 

Cist 

(0. 4) 

0 

(5. 4) 

(5,51) 


(0. 1) 

0 

(5. 7) 

(7. 17) 

& 

(2. 2) 

0 

(7. 6) 

(7.38) 

Q£ 

(2. 3) 

0 

(7. 6) 


& 

(4. 0) 

0 

(9. 9) 

(9. 35) 


(4. 0) 

0 

(9, 2) 

(10,11) 

Qt 

(0. 1) 

0 

(10.0) 

(10,44) 


(0. 4) 

0 

msssm 

(20.9) 

Qt 

(0, 4) 

0 

(9. 9) 

(20.46) 


(0, 1) 

0 

(9.2) 

(22,12) 

& 

(2, 2) 

0 


(22.43) 


(2. 3) 


ms^m 

(24,25) 


(4, 0) 

0 

(2. 3) 

(24,30) 

Qe 

(4. 0) 


(2, 8) 

(27.7) 


(2, 2) 

0 

(S. 7) 

(27.48) 


(2, 3) 


(«. 4) 

(29.5) 


(4. 0) 

0 

(7. 5) 

(29,60) 


(4, 0) 

E9 

(7, 6) 

(32,22) 

& 

(2. 2) 

0 


(32,33) 


(2, 3) 


(10, 0) 

(35.14) 


(0. 4) 

0 

(2, 3) 

(35,41) 


(0, 1) 


(2. 8) 

(40.6) 

Qt 

(0. 1) 

0 

(7. 6) 

(40,49) 


(0. 4) 


(7. 6) 

(42,2) 


(2. 2) 

0 

(9. 2) 

(42,53) 


(2, 3) 


(9, 9) 

(44,10) 


(4, 0) 

0 


(44,45) 

ca 

(4. 6) 


(0. 1) 



(4. 0) 

0 

(5. 4) 

(49,40) 

S 

(4. 0) 


(5. 7) 

(34,0) 


(4, 0) 

0 

(10,0) 

(54,0) 

Qt 

(4. 0) 


(10, ot) 

(Hi ) 


(0. 1) 

0 

(oc\oo) 

(Hj ) 





(H> ) 


(2, 2) 

0 


(H3 ) 

Qd 

(2. 3) 


(00,0a) 

(H 4 ) 


(00,00) 

0 

(0, 1) 

(Hs ) 

Qd 

(00,00) 


(0,10) 

(He ) 


(00,00) 

0 

(2. 3) 

(Hr ) 

Qt 

(00,00) 


(2. 8) 

(H« ) 


(00,00) 

0 

(S. 4) 

(H« ) 

/■s/ 

(00,00) 


(S. 7) 

(Hio ) 


(00,00) 

0 

(7. 5) 

(Hu ) 

S 

(00,00) 


(7. 6) 

(Hu ) 


(00,00) 

0 

(9, 2) 

(Hi 3 ) 


(00, CX)) 


(9. 9) 

(Hm ) 


(00,00) 


(10,0) 

) 

Od 

(oOjOCj) 


(10, 0) 


f * point 1 of order 2 


I ' point 2 of order 2 





51 


where Pp, € E{Zp,)Wi € {0, 1, • • • , I; — 1}. Now, we have a well-defined additicm operation 
defined over E{Zp,)\fi 6 {0, 1, . . . , A: — 1}. Hence, Q = rjP can be computed as, 

Qih = nPp, ( 4 . 2 . 6 ) 

Vt € {0, 1, * • • , A: — 1}. We may further decouple the additi<m operation by condderlng 
operatkxis over ncm-cyclic groups as addition operations over their cyclic subgroups. So, 
in general, we have the fcdkxwing sets oi equations governing the above addition c^>eratiQn, 

Qp,=nPn ( 4 . 2 . 7 ) 

where j e J,jm € Lbs defined above. Tb get back Q from the various Qp^ where k € JU£, 
we use the Chinese Remainder Theorem. 

Theorem 4.2.1. (Cbineee Remainder Theorem) Let nio.mi,* • • ,m„ e Z be int^^ 
wbkb are pairwise relatively prime, i.e gcd{mi,mj) * 1 Ibr t j and let tt< € Z,„^,i 6 
{0| 1> • • * >n} be n-b 1 specified residuea JFbr any fixed integer aE Z, there exists a unique 
integer ueZ which satisfies the following conditkma 

n 

o < tt < o + m, where m = JJm* (4.2.8) 

i=0 

usui (mod mi),0 <i<n 

In particular, it has a tmique solution tt E Zm- The value of x is given by x 

tiimj/i + U 2 Tnp 2 H + Unmy„ where m'.yi = 1 (mod m<),i € {0, !,•••, n} and mj = 

t € {0, 1, • • • ,n}. 

Hence, we are able to encrypt a message m aa P ^ E(Zn) as c =* ijP E E(Z„). 
Decryption of m from c can be done as 


where rj[ eZ such that 


m *» 7 c 


( 4 . 2 . 9 ) 




niAU 


TjTj' = 1 (mod #m) 


( 4 . 2 . 10 ) 



52 


where #m = lcm{if:E{Zp^), 4^E{Zp^)y • • • , #JE?(Zp^,)), i^E{Zp,) is the order of the abelian 
group E{Zp,)\fi € { 0 , 1 , • • • , fc — 1 ). We use a procedure similar to the one outlined above 
(replace for 17 ) to recover m. 

However, there are a few ciphers (Hj) € IT where f € {0, 1 , • • • ,p} where p € Z from 
whkh we are unal^e to recover the original messages after decryption. We shall derive a 
closed frxm expression fear the probability of error after illustrating with an example. 

Exampku Consider the ring Zu and an elliptic curve E : yi^ =1 + 1 defined over 

it. We denote it by E{Zsg) whkh forms a memoid structure. The points in the elliptic 
curve nKMioid are given in Tsible 4. Note that there are points (^)tt € { 0 , 1 , • • • , 15} for 
which the group addition law is not well-defined. Table 5 illustrates the decomposition, 
E{Zifi) St E{Zi)^E(Zii)f whkh are finite abelian group (in fact cyclk as well). The 
mrder of these groups are 6 and 12 (See Chapter 3) respectively. 

Consider a point P *»= (7, 38) € E{Z^ which is to be encrypted as Q a: 5P =» 6(7, 38). 
Using the fact, 

(7,38)a(2,3)0(7,6) (4.2.11) 

and thus, 

5(7, 38) a 5(2, 3) 0 5(7, 5) (4.2.12) 

which on computatkxi is (5,4) 0(4,0). To calculate the point Q € E{Zss), we use the 
CRT as, 

determine (r,y) € E{Zss)f such that (r,y) (5, 4) 0(4,0). The set of equations are 

r s S (mod 11) £34 (mod 5) (4.2.13) 

y 3 4 (mod 11) y s 0 (mod 5) 

{mi, ma, yi, yj} >« ( 6 , 11 , 9, 1 } from which we obtain (r, y) «= (49, 15), the desired solution. 

It can be noted from the example that the set of ciphers (H<) € H, t € {0, 1 , • • • , fc — 1} 
have at least cme tuple equal to ( 00 , 00 ) when r^resented in k-tuple form. Hence, all the 
ciphers N which can be recovered is given by 


N = (#B(Z„) - 1)(#«(2„) - 1) • • ■ {*E(Z^,) - 1) 


(4.2.14) 



2^* I I 

TaUe 6 H List of acpooeiitiais 1w %vhidi — ^ it Prime 



Exponents 

2-100 

3, 5, 7, 11, 17, 19, 2a, 31, 41. 43, 47, S3, 59, 61, 71, Vs, 83. 89 

100 - 200 

101, 107, 113, 127, 181, 137, 149, 167, 173, 179, 191, 197, 199 

200-300 

227, 233, 239, 251, 257, 263, 269, 281, 293 

300 - 400 

311, 313, 317, 341, 347, 353, 359, 383, 389 

400 - 500 

401, 419, 431, 443, 449, 461, 467, 479, 491 

500 - 600 

503, 509, 521, 557, 563, 569, 587, 593 599 

800 - 700 

617, 641. 647, 653, 659, 677, 883 

700-800 

701, 719, 743, 761, 773, 797 

800-900 

809, 821, 827, 839, 857, 863, 881, 887 


Reproduced from Bender and Castagiom [£j 
f Maarmum value of crpptosgstem trnplernentation reported so far 







54 


and the total number of points on E{Zn) given by 5 is 

S ~ (#B(^„))(#B(Z„))-(#E(V,)) (4.2.15) 

Hence the probability of error given by Pr{E{Zn)) is 

Fr(B(Z.)) - 1 - (4.2.16) 

. (#£(Z») - 1)(#£(^) - 1) . . ■ (#£(Z„..) - 1) 

11 1 

mz„) ^ mzn) #B{v.) 

since the cwder of the subgroups are assumed to be very large. Fbr example, in a typical 
case, if the minimum order of the subgroups is around 100 decimal digits, then probaUlity 
of error ca 10~^®® which is very small and can be tolerated fiar practical purposes. 

4.3 Security Aspects 

In this section, we discuss scune basic requirements for a safe elliptic curve cryptosys- 
tem. 

4.3.1 Non b-smooth Orders 

There exists no subexpon^tial al^xithms for solving the discrete logarithm problem 
on a general dliptic curve; the fastest known techniques [2, 4, 13, 15] over multiplicative 
groups do not seem to be efi^ive on elliptic curve groups. The general algcxithm ‘®aby- 
St^ Giant-Step ” algorithm (whidi applies to any group) requites time fully exponential 
in the length of the largest prime foctor of the order of the group. Hence, in order to avoid 
an eBsy solution to the discrete logarithm problem, it is important to search for elliptic 
curves with orders of its cyclic subgroups being ixm b-snoooth numbers (d^ned below). 

Deflnitioni (21) Let 6 be a positive integer. A number m is said to be b-smooth is every 
prime factor g of m is less than or equal to 6. Thus, 


(4.3.1) 



55 


Numbera which are b-smooth are rare. The probability that a random number m <x 

is b-smooth b about tt~* where u =» (example: If a: ■» 10^®®, h *=» 10^®, then u o 10 

logo 

and probat^ty ** 10~^®). 

A chc^ce of large factors (see Table 6) is recommended for amstructing elliptic curve 
groups for cryptosystems. 

4.3.2 Non-Singalar Elliptk Curves 

Consider elliptic curve E{Fi,) defined by the general Weirstrass equation over a field 
F*. Consider a pc^t P — («!, pi) 6 F(i*i) whidi is the only singularity in F(F*). With a 
change of variables as 

X — ► x' + xi (4.3.2) 

y — » y' + yi 

we assume that Weirstrass equation reduces to 

F : y* + aixy — oax* — s* 0 (4.3.3) 

wh^ oi, ua € F* with singular point P = (0,0). Let 

y^ + oixy~oa«* = (y — a«)(y — )9«) (4.3.4) 


where a^l3£ Fk or Fjb, (defined as the quadratic extension of i^). Then P is called a node 
if a ^ and a cusp U a = p. Let E„s{^) denote the set of solutkms (x, y) e F* x F* to 
Equaticm (4 3.3), excluding the pc^t P and including the point at infinity, Q. Etu{Fk) is 
called the non-singular part of E{Fk). The group operation, addition, over this set follows 
the standard chord-and-tangent law. The fc^owing themems (2] illustrate isommphic 
relations with Fj^, the additive group of F*, and Fj^, the multiplicative group of non-zero 
elements of Fj^ 

Theorem 4.3.1 i) If P is a node, and a,j3 € Fjt, then the map (ft : En»{Fk) — ► F*, 
defined by 



(«»y) 



56 


M a group isomorphism. 

it) If P is a node, and ol,P ^ Fk, or, ^ € i%, let H be the subgroup of consisting 
of dements of norm 1 (namdy, the primitive roots of 1 in the extension fidd Fu,). 
The map ^ : EntiFi,) — ► N defined by 

(4.3.6.a) 

yy-axj 

is a group isomorphism. 

Hi) If P is a cusp, then the map w : Ent(Fi,) — ► defined by 

u,:Q — ► 0 (4.3.0.6) 

u» : (x,y) — ► f — - — 

\y-oixJ 

is a group isomorphism. 

Theorem 4.3.2 Let E(Fk) be a singular dliptic curve defined over jP* with singular 
point P. 

i) If P is a node, then the logarithm problem of Ens{Fk) w reducible in polynomial 
time to the logarithm problem in F* or F *, , depending on whether a € or a ^ Fj, 
respectivdy. 

ii) If P is a cusp, then the logarithm problem of En»{Fk) is reducible in polynomial 
time to the logarithm problem in 1^. 

Now, the logarithm problem in F^ can be efficiently solved in polyn<Hnial time and 
thus by the above ismnorphic relations, the problem of discrete logarithms in elliptic curve 
groups can also be served in polynomial time. Hence, selecting an elliptic curve with 
singularities offer no advantage over finite fields for the implementation of cryptographic 
protocols whose security is based on the difficulty of computing discrete logarithms in a 
group Instead, there is a majm: drawbadt that the group toleration in Ens{Fk) Is more 
computationally more intensive than group operations in the field F*. 



57 


4.4.3 Homomorphic and Isomorphic Attacks 
4.4.3.1 Homomorphic Attacks 

The euciyptioii and deciypikm functions r(.) and T(.) observe homomorphic property 
for group addition operation, 


r(mi ® mj) = r(mi) © r(m2) (4*4.7) 

T(mi ® m2) =» T(mi) © T(ma) 

for two points mi and ma on the same elliptic curve F(Fk). This is because the 
functions r(.) and T(.) have the form 

r : c SB ijm (4,4.8) 

T : m =» <pc 

where c,m € E{F),) and ^ and thus due to this linear relatiomhip, the above 

hmnomorphic prc^>erty is observed. This becomes a case fmr cryptanalytic attack as any 
cryptanalyst who knows the message-ciphertext relation for two messages mi and m2 also 
knows the ciphertext for the valid message (mi © m2). Obviously, by knowing more pairs, 
the cryptanalyst gets to know a wider range of ciphertexts [8]. 

Tb counterattack such an attack, we could either have an elliptic curve group of very 
large coder in which all the points of the group do not ccmstitute valid messages (with the 
prior mutual consent of the two parties communicating) and thus try to reduce diances of 
such homcanorphic attacks. However, thte is at the cost of low information rate. A second 
procedure could be to have the encrypticm functicm of the form 

r' : c « 17 m © k (4 4.9) 

where k is any arWtrary point € E{Fft) agreed by both the parties. Here, a homomcophic 
attack is not possible since. 


r'(mi©m2) r'(mi) ©r'(m2) 


(4,4.10) 



58 


The recdver decrypts by first subtractiiig pc^t k from received ciphertext and then 
folknr the standard procedure for decryptfon. Hence, the cost incurrred here is the addi- 
tional computatioos at the sender and the receiver ends. 

Exainplei Consider elliptic curve E:y^^x^ + 1 over Fn (see Example above in Section 
3 1) and message text and keys as previously stated Assume k to be the point (11,59) on 
E{Pn) , then c - 38m © k « 38(34, 15) © (11,59), which is found to be c « (58, 14) which 
is transmitted to B. 


Now, B decrypts the cipher by first subtracting k from c as mf (68, 14) © (58, 65) =« 
(57, 17), and then following the usual procedure for decrypticm Lem = 42m' * 42(57, 17) *» 
(34, 15), the original messagetext. 

Here, at both the sender and receiver eixis, we incur extra computation namely, AilHing 
to and subtracting k from the ciphertext. However, it guarantees us security from homo- 
morphic attacks, since the problem is as hard as finding the order of the abelian group 
over which the cryptosystem is based on. 

4.3.S.2 Isomorphic Attacks 


As stated in Theorem 3.1.2, two elliptic curves defined over a field Fk are ismnorphic if 
the relation stated holds true Sfo a method of cryptanaiytic attsck would he to identify one 
such isomorphic rdatkm between the actual elliptic curve group over which the cryptosys- 
tem is based upon and another elliptic curve group used by the cryptanalyst. Therefore, 
by the unique one-to-one correspondence depending on the value u, the cryptanalyst can 
determiire all points on the originskl elliptic curve group by determining all the points cm 
I the second elliptic cmrve group. However, this scheme is very difficult since it is found that 
the probability that there exists a u satisfying the isomorphic relation as stated above is 
negligiUy small (oc ) for large orders of the group E{Fic). Abo, in a practical 

irF\Fft) 

implementation scheme, the elliptic cmve group b changed (discussed later) from time to 


time, making such attacks even more difficult. 



59 

Chapter 5 

Some Computational Aspects 


In this chapter, we shall refer to some important ccunputational issues Involved in the 
implementation of elliptic curve ciyptosystenuL 

5.1 Using Affine and Projective Coordinate System 

Let us luiefly discuss a few facts from algelnaic geometry {2, 6, 16]. 

5.1.1 Homogeneous Polynomial 

Suppose f{xuX 2 ,‘-‘,Xn) € K{xuX2,-" he a homogeneous polynomial erf degree 
m, i.e 

/(tari.taa, • • • ,te«) = *”/(«!, xj, • • • , x„) (5.1.1) 

A point (ai, 03 , • • , On) € IC* satisfies 

/(xi, X2, • • • , Xn) = 0 (5.1.2) 

if and only if (toijtos, • • ,ta„) does for all t e if * (if* is the multiplicative group of the 
elemofils of K) Q ■■ (0, 0, • • 0) always satisfies Initiation (K 1 1) aiul is oallod its trivia] 
solution. This leads to the concept of projective space. 

5.1.2 Projective and Afilne Spaces 

Fbr any field K, let 

if" = -i^a) I € if,i = 1,2,* •• ,n} (5.1.3) 

be a vector space of n-tuples of elements of if. On the set 

if"^' - {Q} ■= {£ e ir+M £ a} 


define an equivalence relation by £ ~ if and only if j/ = for seme t e if*. Then the set 

P^{K) = if^‘ - {S} (5.1.5) 



60 


of equivalence classes is called the projective space over IC, l.e. P^(IC) consists of all 
nonzero vectors in with two vectcws jc,£ not ocHisidered different if £ = <2 with 
teK*. We can also think of P^{K) as OMsisting of lines thimtgh the wigln fl of 
The affine space A"{K) may be regarded a subset of P^{K) by the map 

A^{K) 9 ♦{ri, ^ 2 , . . . (xi, xa, . . . , x„, 1 ) e P^{K) (5.1.6) 


5.1.3 Plane Algebraic Cnires 

A curve C defined over a field K is the set of scdutions in jfif x if of the polynomizd 
equatimi 

C':/(x,y)«=0 (5.1.7) 

A projective curve L over K is the set of solutions in P^{K) of the homogeneous equation 

I:F(X,r,Z )-0 ( 5 . 1 . 8 ) 

with F{X,YyZ) € K{XyYyZ). One can homogenise Equation (5.1 7) to get Equation 

X Y 

(6 1 8) by putting x =■ — , y — and then multiplying throughout by Z*^^ Suppose 
(5 1 8) is obtained frcxn (5 1.7) as above. Then it is a projective model for the affine curve 
C as defined by the former The solutions for C are precisely those solutions of L for which 
Z 0, because (o, 6) is a point on C if and only if (a, b, 1) is a pc^t in L. The p<^t 
(a, h,c) oa L with c = 0 is called the point of infinity cm C The line of infinity is the set of 
all points {X^Y, Z) in F^{K) kw whkh Z = 0. The points on (5.1.7) are called the affine 
part of the projective curve (5 1.8). A projective ciurve is complete in the sense that it has 
the points at infinity that are missing from its affine part. 

5.1.4 Singularities of a Cunre 

Let L be a projective curve as (5 1 8) We say X is of order n if deg{F) =» n. A point 
P on L is called a multiple point of multiplicity r > 1 or an r-fokl point if all the partial 
derivatives of P(X, F, Z) of order < r vanish at P, but there is a partial derivative of order 
r that does not vanish at P If r = 1, P is called a regular car non-singular point, if r > 1, 



61 


P s called a singular pcdnt, eg. for r ■=> 2, it is called a double point and so oa. A curve is 
singular if it has a singularity, otherwise it is non-singular or smooth. 

Examplet Let C be the affine curve «= 2 ^. 

X Y 

lb homogenise the equatkxi, put x » ~,y a — . 

Zi z 

F{x, r, z) =M Y^z - a:* = 0 (5.1.9) 


Singularities must satisfy 


dF 

ex 

dF 

dY 

dF 

dZ 


= -3A* = 0 
^2YZ^0 
= F*=-0 


(5.1.10) 


which are of the form (0,0, Z) such that Z Thus (0, 0, 1) is the only singularity of C. 

8f^F 

It is a double point, since ^yjlp 7^ 0. 

Coming back to the general Wdistrass equation 

E :yl^ + a\xy -f- asy = x’ + 022* + 04X + os ( 3 . 1 . 1 ) 


where {a<} € K and (x, y) E K x K. 

Homogenising this equation to get the projective curve equivalent, 

X Y 

Put X = y = -= to get an equation of degree 3 

z z 

Y^Z + aiXrZ + asFZ^ = x’ + a^X'^Z -f mAZ* + a«Z* (5.1.11) 

Here the projective plane P®(A) over K is the set of equivalence classes of the relation 
acting on the set 

- {a} (6.1.12) 

where (xi, yi, zi) ~ (xj, yi, xa) if and tmly if there exists & u E K* such that xj *= ux 2 ,yi ■= 
uya, zi =* u ^2 We denote the equivalence class containing (x, y, x) by (x : y ; z). 



62 


The equation is said to be smooth or ncm-singular if all the f>rojective points P ■» (X : 
y : Z) € P^{K) sattefying 

L:F{X,Y,Z) (5.1.8) 

( 6F OF dF\ I 

If all the three partial derivatives vanish at P, then P is called a sing ular p<^t. There 
is exactly one point in E with z-<xxxdinate equal to 0, namely (0:1: 0). We call this point 
at infinity and denote by Q. Thus an elliptic curve E is the set of solutions to Equation 
(3.1.1) X K together with the extra point at infinity O. 

5.1.5 Addhioii Ibmmla uring Projective Coordinate System 

We consider two cases, a) the case for Fi, where char{Fk) > 3 and b) the case for 
P*,A:=:2-, chaT{Fk)^2. 

a) Case few F* where char{Fk) > 3 

Recalling the addition formula, ^ven P = (a::i,yi) e E and Q = (a:a,ya) € F, then 
P®Q = (®s, ys) where 


xj = A* — xi — X2 (3.2.9) 

V3 =“ — ajs) — yi 


where 


In projective coordinates, 


A 


Vi-Vi 

X2 — Xi * 

3xj + a 


ifp^g 

ifp=:g 


P = (xi • yi : 1) 

g «= (xa W ‘ *3) = ~ 

\Z3 Z2 J 


(3.2.10) 


(6.1.13) 


Tb find R (xj • yj 1), 



Computation time comparison for Affine and frofective Coordinate Systems 
Table 7.a: J? : y» = ** + * + 1 over F<iumr, point (653213,1489237) 


Repetkions 

Affine System 
(In sec) 

Projective System 
(In sec) 

1631 

0 097068 

0 097920 

2013 

0 136640 

0 136032 t 

5381 

0 195SB4 

0.194688 

12963 

0 632192 

0 616256 

53319 

2 821888 

2.340128 

109493 

4 986368 

3 204416 

605503 

25.000640 

17 844864 

933815 

46 786368 

29 417280 

2341651 

115 691392 

59 172800 


Table 7.b: jE?-y* + y = **+e + l over 


Fjif 


point (a’»^a“®“) 


Repetitions 

Affine System 
(In sec) 

Projective System 
(In sec) 

301 

0440128 

0 45B400 

417 

0 532192 

0502364 t 

863 

0 952480 

0791888 

2057 

2.86576 

1 827104 

4573 

5 019200 

3.478400 

113931 

10.2ni04 

6616256 


t beyond thv), prx^eictwe sgstem ts compntattonalls /aster than a£pne gystem. 









65 


xs x= 




B'(A'^ - 2B^xi) 


(6.1.19) 


One of the m&jor problems using affine (non-homogeneous) equations is that repeated 
division is required at each stage. Now using projective coordinate ^tem, at eadi step 
we compute the three-tuple (£ 3 , and perform the next operation using the same 
three-tuple and at the final step perftam the inversion by factor Z3. Thus we reduce the 
computation time by performing the thne^xtusuming Inversion operation cmly in the final 
step. 

As an example of encryption (or similarly in decryption) stage, consider a message 
m = P to be enciphered asQ zMr}P where r) e Z. Now if P is the affine point (xi,pi, 1 ), 
we cmnpute tjP by adding P to itself and then adding this result to P and so <m keeping 
the three-tuple result (xs, ps, Zi) at each stage and adding it to (a;i, pi, 1 ) at the next stage. 
Finally the result (xj, pj, zs) can be converted bade into affine coordinated by dividing each 
coordinate by Z 3 . 

The method is espedally useful when large number of additions are required. As a 
practicad example arithmetic in P<ja» has been reported where multiplication of two elements 
take 1300 clock cycles with inversioQ 50, 000 cycles at a clock rate of 20 MHz. Thus at each 
step we save by not having to perform a costly inversion. However, the trade-off incurred 
is that this computation time gain is at the expense of extra register storage elements. 
This tradeoff is apparant for lower values of repetitions as shown in 'ITable 7. 

Example: For the elliptic curve group E : ^ + x + 1 over P 4531317 and a pednt 

(653213, 1459237) whidh belongs to the group, simulation was done (in C language source 
code) to compare the computatioa times for affine and projective coordinate systems for 
various values of repetitions. It is observed fiom the table that for lower values of repe- 
titions, affine system of representation is computationally faster. This is because of the 
additional computation required for the third coordinate offsets the advantage of fewer 



66 


inversions. However, as the number of rei>etitkm 8 increase, the projective system repre- 
aentatioa shows clear advantage in saving computational time because of the inversion 
operation being withheld till the last stage of computatkm. 

b) The case for F*, it ■* 2”, char(fi) = 2 

Recalling the additkm formula for J-invariant elliptic curve groups, 

If P ■* (*i, pi) £ E and Q = (xj, € F, then P ^ (X 3 , yj) where 





and 


lft = 


In projective coordinates. 



+ Xi-fX2, ifP/Q 
ifP^Q 

(xi + X 3 ) 4- yi + 03 , il P 
(xi+a:s)+Vi+a3, ifP = Q 


P = (®i * yi : 1) 


Q = (x 2' 1/3: Zi)^ (— : — : I'j 

\Z2 za J 


lb find P = (x) : {/) : 1 ), 

we get by substituting Equation (5.1.13) in (3.2.13) and defining 

A =r (zjyi -f yj) 

B = (« 2 ®i + X 2 ) 


(3.2.13) 


(3.2.14) 


(5.1.20) 


(5.1.21) 


, A { A? 



67 


Defining zt *= B^zj, xj = and jft =* to get 


P^Q = (xs: Vs : 2^3) 


(6.1.23) 


where 


X3 = ^*S 25 +B^ (5.1.24) 

Va *= (1 + Vi)^s d* -4^X2 + AB ^ xa 

xa == B^z^ 


This addition formula requires nine multiplications^ two more than sifllne addition 
But this is computation overhead is o&et by not having to perform costly inversion at 
eadi step 

Sbcanoplet Consider the computation time comparison for the elliptic curve group E . 

rp 

y^ + v=»x* + x + l over — r= — — - and point (a^, a“**^) being repeatedly added. We 
observe that projective coordinate system oflPers dear advantage over the affine coordinate 
system for large values of repetitions (similar to the previous example). 

5.2 Choice of Basis representation 

In our entire anal}rsis (encryption and decryption), the basic problem Involves the 
foUowing: given a point P € E{Fk) over a field i**, find a point Q € E{Fk) such that 
Q = jjP, where 0 < tj < if‘E{Fit). 

So a proper dioice of basis function becomes very important to reduce the computar 
tional time involved in elliptic curve algebra. We start with the Standard Basis represen- 
tation. 

5.2.1 Standard Bads Representation 

Cwisider any field F^^ of characteristic q generated by an irredudble polynomial /(x) 
with a being the primitive element (/(o) = 0)- Then any element of ^4(0) € F^ can be 
represented as 


A{a) = oo + + • • + Ow-ia"* ^ 


(5.2.1) 



08 


Budi that 04 6 {0, 1, • . • ,g - 1} Vi € {0, 1, • • • ,m - 1} 

This is known as the Cartesian or Standard Basis representation of any element in 
In this representation, the addition operation is easy to compute. If A{a)+B{a) = C(a), 
then additkm occurs as 


04 + 64 = 04 Vi €{0,1, •••,!« - 1 } ( 5 . 2 . 2 ) 

Whereas the product A(a)^(a) is more difficult to compute. More particularly, 
consider A? {a) where A{a) € Fj*. 

A?{q) = (oo + OiQr + OaO^ + • • • + Om_iQt"*~^)* (5.2.3) 

= o^ + of a* + • • • + 0* 

= Oo + OjO* + • • + 

whidi is not in standard basis notation, since the terms corresponding to (a, oc^, * • •) 
are not present and thus the result is not in the form of 

C{a) = CO + cia + c<tO? + « • • + c«_ia”’-^ (5.2.4) 

To overcome this difficulty in multiplication, we use a Normal Basis representation. 

5.2.2 Normal Basis representation 

Consider an element sudi that {j0, • • • , } forms a linearly independent 

set. Th«i any element A{fi) € can be represented in Normal Basis notation as 

A{p) = ao/3 + + • . . + (5.2.5) 


and 


A^{0) = + afi3«* + • • • + (5.2.6) 


and since /?*" = 0 over F^, we have, 


A^(l9) = 0^-10 + ooiS’ + • • • + ' 


(6.2.7) 



Table 8: Polar to Cartesian Coordinate Mapping 


Fblar 

a> 

CarteedaiL 

at 

1 

0 

0 

0 

0 

1 

0 

0 

1 

a 

0 

1 

0 

a> 

1 

0 

0 


1 

0 

1 

a* 

1 

1 

1 

o» 

0 

1 

1 

a* 

1 

1 

0 


Table 9: Normal Basis Representation 


Element 0 

a< 

Normal Bebib 
ibria 

a" 

at 

0 

0 

0 

0 

1 

1 

1 

1 

a 

0 

0 

1 

a* 

0 

0 

1 

a^ 

1 

0 


a*- 

1 

0 


a» 

1 

1 


a« 

0 


D 


Figure 7: Squaring Operation of any element € F 3 . 

ElepreeentJOE of A(/3) 

£ 1^-3 I i I 1 ^ I 

4 Left Cfychc Shift 

[“‘ona-a I flm~3 j ^^*-4 | I ^ I I | 

Etepresention of A^{JS) 


^ a tif a prtrmtxfjc root oj the irrcductble poipnomtal -f 1 whtch generated Fja 

a) = 0 

\ The oonjngacg doss containing 0 forms a basis representation of the elements of 















70 


Considering 9 = 2, this has a simple interpretation as shown in Figure 7. Given an 
element stored in a register, a squaring operation is one left cyclic shift, quadrupling 
operation is two left cyclic shifts and so on. 

Every field has at least one element such that Is a linearly 

independent set. 

Ibcampkn Cmisider Ff generated by the irreducible polynomial f{x) = + 3 i^ + 1 and 

let a be a primitive element. 

Consider the set {a, a*, a*}. 

The mapping from polar to cartesian representation for the above field is shown in 
Table 8. 

Rank of the matrix 



is 3. Hence it can be chosen as a basis set for normal basis representation. Accordingly 
the elements of this field can be represented in the new basis system as shown in Thble 9. 

Considering the group o|>eration for elliptic curve cryptosystems, where most of the 
computation time is taken up by multiplication operation, we shall use normal basis rep- 
resentation while canydng out computations for encryption and decryption schemes. 

However, this is not necessarily the optimum f choice of basis functions. However, for 
a lack of a better basis set for easier computation, we shall use normal basis representation 
in our work. 

5.3 Some Efficient Encryption Schemes 

Consider an elliptic curve group E{Fk) defined over a field F*. The standard procedure 
to compute the ciphertext c = r}P where message text m = P,& point defined on the elliptic 
curve and 9 € Z, is to calculate it as 

9F = (• • • (((P ® P) ® P) ® P) © • • • P) (5.3.1) 


f optimum in the sense of minimising the computation time for group operations 


Computation Time Comparison for Standard and Efficient Methods of Group Opera 
tion 


Table 10.a: B ^* = *^ + * + 1 over Fatui, point (73292, 887013) 


Repet kioDB 

Standard Method 
(In sec) 

Efficient Method 
(In sec) 

771 

0 D49280 

0 005360 

5857 

0 375424 

0 010256 

11638 

0 789612 

0 011384 

38101 

2.438464 

0 013632 

97652 

6 689012 

0 01706<^; 

168321 

10 529920 

0 020316 


Table tO.b: B + + z + l over -r . -- -- . , , point (a<““ 


Repetitions 

Standard Method 
(in sec) 

E)fflcient Method 
(in sec) 

7533 

0482112 

0 007468 

25519 

1 833216 

0 009320 

61777 

4053720 

0 018824 

97351 

7 230400 

0 017976 

376609 

24 102976 

0 022312 

931672 

64 711004 

0 066266 


t Q I# a prvnxttmi root of the trreductble. poiynomicd /(i) = + x® + 1 whtch generates Fj* 

/(a) = 0 
















72 


But this procedure involves (»?— 1) steps to calculate the cipher. A second and a more 
efficient method [l] is realised as 

= (6.3.2) 

where fcq, € {0, 1} Ve {0,1,*** 1}. 

This method is a very useful because it can be easily implemented nwing systolic array 
processors. 

Examplet 

15P = Pe2P®4P©8P 
= (((P©2P)©4P)©8P) 

It is found that the number of operations n (one operation is adding two points on 
P(f*)) is bound as 

m + 1 <n<2m + l (5.3.3) 

where m = [fopat/J The expected number of operations for all values of ri of length n is 
1.5m + 1. 

Examplet Consider the elliptic curve group E :y^ =xx^ + x + l over Pastwi and a point 
(73292, 887013) which belongs to the group Simulation was done in C language to compare 
times for the standard and efficient methods of implementing group operation (See Table 
lO.a) It is found that the improvement in time taken is spectacular for large values of 
repetitions (order of 10^ or more). This is because the time taken increases approximately 
linearly for the standard technique whereas for the efficient method, it increases only in a 
logarithmic fashion. A similar exercise was carried out for the case of E : y*+y = x^+x+1 
over — -g — pomt a™®*), (See Ihble 10 b) and similar results were obtained. 



73 


Chapter 6 
Conclusions 


We conclude our discussion with a comparison with existing cryptosystems and discuss the 
soc^e for further work in this area. 

6.1 Comparison with existing Public-Key Cryptosystems 

In our analysis, we have presented elliptic curve analogs of the existing public-key 
cryptosystems and have discussed the ccanputational issues involved with them. In this 
secticn, we shall first compare the computational timings for encryption ttfdng the tradi- 
tional RSA scheme for public-key systems and the proposed Generalised Elliptic Curve 
sdieme which is the equivalent of RSA scheme based on elliptic curve algebra. 

6.1.1 Coiiq>utatioii Time Comparison 

FVmt this, we choose operations over the ring where n is a product of two prim^ 
Pi = 9857 and p 2 = 9839 and n = 96983023. For the RSA cme^ consider a messag^e 
nv^a = 13331 to be encrypted and the public-key available as er«, = 53293. The mes- 
sage mrrni can be r^resented as a two-tuple vector =* (3474,3492) where 

^ and 6 2 ^»s 3 », similarly the public-key Crsa can be represented in a 
two-tuple form as (cj^,c*^) = (4008,4098) where ej:„ € Zmr and e Zsm The 
operation of encryption given by ^ equivalently viewed as computing 

= ((3474)“°*, (3492)^) where e Zm? and 
Finally, on computing the two-tuple pair (4 jo»*^«j)> ^ compute Cr»a € 
Eg6ss3023 usmg CRT Notice that the two operations can be carried out in parallel and 
later combined using CRT We simulated the above process using C language source code 
and observed that the process output which is the ciphertext tv*, was <v*, s 24237098 
(mod <A(n)) where 0{n) = (pi — l)(pa — 1) = 96963328 and the time taken for computation 
was around 0.012976 sec (operating at a clock rate of 15625 ticks per second). 

Similarly, consider the elliptic curve E : -f 1 defined over Zgessaosa Now, 

both Pi = 2 (mod 3) and pa = 2 (mod 3) and hence the order of the two abelian 



74 


(cyclic) groups and E{Zp,) is given by = 9858 and #E(Zp,) = 9840 

respectively. Consider a message point given by ro,ec = (14321,5859531) e E{Zn) and 
the public-key available be « 53293 (same as the case above). The message 
can be represented as a two-tuple vector (m^,mj^) = ((4464,3909), (4482,5326)) where 
^\ee € E{Zws,7) and € £?(Z#8»), similarly the public-key can be r^iesented in 
a two-tuple form as (cj«,,cj,^) = (4008,4098) where ej^ € -^sssr and cj^ € Zi^. The 
operation of encryption given by Cgee — can be equivalently viewed as comput- 
ing 4c) = = (4008(4464, 3909), 4098(4482, 5326)) where 

4c ^ E(Zoss7) and 4c € E(Z 9 e»). Finally, on computing the two-tuple pair (4ci4c)» 
we compute € £?(Z8efl83(m) using CRT. On simulation, the ciphertext was found 
to be s (7439209,90875269) (mod #m) where #tn « /cm(#.B(Zp,),#iS?(Z,^)) = 
lcm(9858, 9840) = 5389040 and the time taken for computation was around 0.078636 sec 

Hence, in a direct comparison of timings of the RSA scheme and the Generalised 
Elliptic Curve scheme f , we find that RSA method is computationally superior i.c it is 
around six times as last as the analogous elliptic curve system. However, it is only natural 
to expect this as the amount of computation required for elliptic curve syston is far more 
complex than the RSA scheme where only a modulo multiplication is required at each step. 
Hence it can be safely copjuctured that the major slowing down factor for elliptic curve 
systems vis-arvis existing public-k^ cryptosystems lie in the computational complexily 
involved in the group (Tperation. 

Also one critical fact is that there is a message bandwidth expansion while using an 
elliptic curve cryptosystem as now we have to transmit two coordinates («, y) instead of 
one, as in traditional cryptosystems. However, by a proper choice of the elliptic group (like 
the classes over Fj*, m odd) we need to transmit only information of the trace function of 
y for a given x, which is only one bit long, either 0 or 1 since ground field is F^. Thus the 
message bandwidth expansion is almost negligible for these special cases. 

However, this penalty that we pay is for the benefit of greater amount of security that 
elliptic curve cryptosystems offer. 

\ here the order of the group, message texts and encryption keys have been taken 
as similar as possible m the two cases to facilitate a meaningful comparison 



75 


6.1.2 Comparison on Security Aspects 

In Chapter 1, -we had expresaed the hope that m>rking on a more general framework 
of grcmpe and mondda, we would be able to ward off many of the ciyptanalytic attacks 
that occur on a more restricted framework of fields and rings. Using the example of elliptic 
curve cryptosystems, we sh^ see that it is indeed so. 

Using cryptosystems based on the field structure, like Pohlig-Ifellman, El Gamal, etc., 
we have to keep the hide the order of the multiplicative group over which our ciyptosystem 
is based else all the ciphertexts ate very easily decrypted by cryptanalysis. Also the 
multiplicsdive group structure is the focal point of evaluating discrete logarithm method 
of attacks (like Index Calculus methods, etc). Hence, for a safe cryptosystem, one is left 
with the option of working in very high orders of groups which guarantee security. 

In cryptosystems based on ring structure J^„, like RSA scheme, where n is a prod- 
uct of very large primes, we can let out the parameter n.The security of the system is 
based on the difficulty of factoring a large number which is considered one of the most 
intractable problems in number theory. However, in recent past (4), there have been major 
improvements in solving factorization problems (reported upto 100 decimal digits). Hence, 
cryptosystems based on smaller factors are now being seriously threatened. 

Considering all this, attempts have been made to base the crypto^stems on a more 
general structure, notably the elliptic curve groups and matrix ting groups [22]. Since all 
that we need is structure over which we can define a permutation operator, group structures 
amply satisfy this requirement. Also, since the group operation is addition (denoted by 
0), the discrete logarithm attacks based on present methods become inoperative. One of 
the major advantages of using elliptic curve groups is that we can have added security by 
c hanging the curve periodically Moreover, in order to break the cipher one would need 
an algorithm for solving the discrete logarithm problem over an arbitrary elliptic curve, 
rather than just on a particular elliptic curve. The major saving on c hangin g periodically 
is that we can base the cryptosystem on much smaller orders of groups i. e we can continue 
using existing cryptosystems with suitable modifications. 

In the further generalization that we have made t e basing cryptosystems over monoid, 
we have added advantages over the RSA scheme The security of the system is two-fold 



coie, the integer htctorization problem, and two, the fact that we hide the elliptic cnk%o 
makes it almost impossible for a ci^rptanalyst to estimate the order of the abelian groups. 
Here again, we have the advantage of working in mudi smaller mders of n and thus smalls 
key lengths, which can be crucial in some applications, for example the design of smart 
card systems. 

6.2 Scope for Future Work 

Since the present worit is essmitially a study at a conceptual level and substantiating 
upon it with simulation results, some of the aspects which arise on practical implementation 
lilm oonfusioa, diffusion, etc. which are important because of hi gh redundancy of the 
source language have been necessarily excluded from the analysis. A detailed study of 
these aspects is required for a more complete picture of the problem. 

Currently, attempts are being made to build a dedicated RSA chip based on VLSI 
design In a similar way, we can tty to fabricate a dedicated elliptic curve cryptosystem 
chip with suitable modifications to the RSA chip dflaign 

Complexity analysis of the various algorithms used for elliptic curve mcryption and 
decryptkm can be carried out so that we can base our design decisions on what we believe 
to be the beet algorithms. 

One of the major problems for the slow bit rate of these systems is the complicated 
group algebra involved A detailed study needs to be carried out to seardi for a prefer 
choice of basis function for making these operations more efficient. 

We could also view freon a much more abstract level t.e considering the entire problem 
as one of a proper choice of an operates j over finite fields and rings with desired properties 
vis-a-vis security aspects and computational complexity. Msybe, we could find specific 
instances of operators with lesser computational complexities (which translate to faster 
encryption and decryption rat^) but guaranteeing same levels of security t.e time estimates 
for cryptanalytic attacks are similar 


I elliptic curve operator or matrix ring operators being only specific cases 



References 


[1] Agnew, G.B, Mullin, RC. and VamtCMoe, S.A. **A East Elliptic Curve Cryptosystem", 
Advances in Cryptdogy - Eurociypt ’89, Springer- Vedag (1989), 705-707. 

[2] Blake, I, Menezes A.J. Applications of Finite Fields^ Boston, Klewer Academic 
Puldishere, 1993. 

[3] Bender, A. and Guy Castagkmi ‘*On the implementation of ESliptk Curve Cryptosys- 
tems", Advances in Cryptology - Crypto ’89, Springer-Verlag (1990), 186-192, 

[4] Bach, Eric **IntractaUe proHems in Number The<»y", Advances in Cryptdogy - 
Crypto ’88, Spiingej^Verlag (1988), 77-93. 

[5] Brassard, Gilks “Modem Cryptology" - A Tutc^ial, Springer-Verlag (1988). 

[6] Chadial, J.S. Topics in Number Theory^ Plenum Press, New York 1^8. 

[7] Chin Long Chen “Fbrmulas toe sdiving quadratic equations over CF(2"*)", IEEE 
T^ans, Info. Th, 28 (1982), 792-794. 

[8] Chum, David and Jorge, W.de “Seme variatkms of RSA signatures and their security". 
Advances in Cryptology - Crypto ’86, Springer-Verlag (1986), 49-59, 

[9] Coppersmith, D. “Fast Evaluation of logarithm in Adds of characteristic two" , IE E E 
TVans. Info. Th, 30 (1984), 587-594, 

(10) Denning, Dewothy E, Cryptography and Data Security^ Addison- Wesley, 1982. 

(11) El Ganud, T. “A subexpcmential-time algcaithm Jot ccanputing discrete logarithm over 
GF(p*)", IEEE TVans. Info. Th, 31 (1985), 473-481. 

(12) Kaliski Jr, B.S. “A Pseudo-Random Bit Generator based on Eaiiptic logarithms" 
Advances k Cryptology - Crypto ’86, Springer-Verlag (1986), 84-103. 

(13) KoUitz, N. “Omstructing Elliptic Curve Cryptosystems in Charact«pistic 2" , Ad- 
vances in Cryptciogy - Crypto ’90, Springer- Veiiag (1991), 705-707. 

(14) KoWite, N. “Eaiiptic Curve Cryptesystenas", Mathematics of Computation, 48 (1987), 


203-209. 



[15] Lidl, Rudolf and Niederredter, HaraW Introduction to finite fields and their appli- 
cations^ Cambridge Univ. Press 1986. 

[18] Menesses, A. and Vanstooe, S.A. “The implementation of Elliptic Curve Ciyptoeys- 
tems”, Advances in Cryptology - Auscrypt *90, Springer- Verlag (1990), 2-13. 

[17] Miller, V. *Vae of Elliptic Curves in Cryptography", Advances in Ciypt<dogy - Crypto 
’85, Springer- Verlag (1986), 417-426. 

[18] Niven, Ivan and Zuckerman, H.S. An Introduction to ike Theory of Numbers, 
Wiley-Eastern, Third Ed. 1976. 

[19] Pohlig and Heilman, “An improved algorithm ft* ccxnputing logarithms over GP(p) 
and its cryptographic significance", IEEE 'Hnns. Info. Th, 24(1978), 106-110. 

[20] School, R.J. “Eaiiptk Curve over finite flekfe and the computatka of square roots itkxI 
p". Mathematics of Computation, 44 (1985) 483-494. 

[21] Stephens, N.M. “Lenstra’s Factorization Method based on Elliptic Curves", Advances 
in Cryptcdogy - Crypto ’85, Springer- Verlag (1985), 409-416. 

[22] Varadarajan, V. ‘*Iit 4 )doOT Rings and their use in Cryptogn^ply", Advances in Cryp- 
tc4ogy - Crypto ’85, Springer-Veriag (1985), 369-395. 



Errata 


1 Page 9, DefinUioa, read (j>{n) ts the number of positive integers less than or equal 
to n inffiead of <^(n) is the number of positive integers less than to n 

2. Page 10, Equation (2.4.4), read = 1 modn Instead of s 1 modp. 

3 Page 10, Equation (2 4 5) read m ^ Zj, instead of m € Zm c e Zp instead of C € Zp. 

4 Page 11, Equation (2.4 8), read "e = log^C' • •” instead of "c = log^c- 

6. Page 58, line 8, read "m' = (58,14) ©(11,59)'--” instead of "m' = (58,14) © 
(58,65) 

6. Page 61, Equation (5 1.11), read “ • = + a^X^Z • ” Instead of “ • • = af® -f- 

a2X^Z + •••’’ 

7. Page 68, Equation (5.2.7), read M’(/3) = • • • + Instead of M»(/?) = • •• + 



U74C4 


6£l- ’38f9S'£ 
K°i€^£> 




174C4 

Date Slip 

f^hls book is to be returneti on the 
date last stamped 



